Europe's GDPR cops dished out €1.2B in fines last year as data breaches piled up
(2026/01/22)
- Reference: 1769089144
- News link: https://www.theregister.co.uk/2026/01/22/europes_gdpr_cops_dished_out/
- Source link:
GDPR fines pushed past the £1 billion (€1.2 billion) mark in 2025 as Europe's regulators were deluged with more than 400 data breach notifications a day, according to a new survey that suggests the post-plateau era of enforcement has well and truly arrived.
The figures come from [1]the latest GDPR Fines and Data Breach Survey published by DLA Piper , which puts total fines issued across Europe last year at roughly £1 billion (€1.2 billion), up from £996 million in 2024. While that year-on-year increase is modest, regulators have now handed down €7.1 billion (£6.2 billion) in penalties since GDPR came into force in May 2018.
The fines may look familiar, but breach reporting does not. From 28 January 2025 to the present, Europe's data protection authorities received an average of 443 personal data breach notifications a day. That's up 22 percent on the year before, and marks the first time daily reports have pushed past 400 since the regulation came into force.
[2]
The firm avoids pointing to a single root cause. Rather than offering a neat explanation, the survey describes several things going wrong at once: geopolitics, repeated cyber incidents, and attack tooling that's now easy to obtain, with regulatory overload sitting in the background. Organizations are now juggling GDPR alongside a widening set of incident reporting regimes under laws such as NIS2 and DORA, which have raised the baseline for what needs to be disclosed – and how quickly.
[3]
[4]
Ross McKean, chair of DLA Piper's UK data, privacy, and cybersecurity practice, said that the numbers should be read as a warning, not just another set of stats. "Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary," he said.
"Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organizations to optimize cyber defences and operational resilience."
[5]
On the enforcement side, the familiar names remain at the top of the leaderboard. Ireland once again dominates the tables, with aggregate fines issued by the Irish Data Protection Commission now reaching €4.04 billion since GDPR began, accounting for well over half of all fines issued across Europe during that period. France and Luxembourg are next in line, but a long way back, showing how much of GDPR enforcement is being driven by a small number of regulators.
[6]Probably not the best security in the world: Carlsberg wristbands spill visitor pics
[7]EU offers UK early gift: Data adequacy until 2031
[8]Europe gets serious about cutting digital umbilical cord with Uncle Sam's big tech
[9]UK pushes ahead with facial recognition expansion despite civil liberties backlash
Ireland also handed down the biggest single penalty of 2025, [10]a €530 million fine against TikTok over unlawful international data transfers. That still wasn't enough to unseat the current record, set two years earlier when regulators [11]hit Meta with a €1.2 billion sanction . Big tech remains the favorite target, with DLA Piper noting that nine of the ten largest GDPR fines on the books have landed there.
Seven years in, and GDPR appears to be finding its stride. The penalties are routine, the breach reports are back on the rise, and the paperwork is as relentless as ever. ®
Get our [12]Tech Resources
[1] https://www.dlapiper.com/en-ro/insights/publications/2026/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2026
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/16/carlsberg_experience_vulnerability/
[7] https://www.theregister.com/2025/12/22/eu_uk_data_adequacy/
[8] https://www.theregister.com/2025/12/22/europe_gets_serious_about_cutting/
[9] https://www.theregister.com/2025/12/05/uk_cops_facial_recognition/
[10] https://www.theregister.com/2025/05/02/tiktok_gdpr_fine/
[11] https://www.theregister.com/2023/05/22/dpc_fines_meta_12b_tells/
[12] https://whitepapers.theregister.com/
The figures come from [1]the latest GDPR Fines and Data Breach Survey published by DLA Piper , which puts total fines issued across Europe last year at roughly £1 billion (€1.2 billion), up from £996 million in 2024. While that year-on-year increase is modest, regulators have now handed down €7.1 billion (£6.2 billion) in penalties since GDPR came into force in May 2018.
The fines may look familiar, but breach reporting does not. From 28 January 2025 to the present, Europe's data protection authorities received an average of 443 personal data breach notifications a day. That's up 22 percent on the year before, and marks the first time daily reports have pushed past 400 since the regulation came into force.
[2]
The firm avoids pointing to a single root cause. Rather than offering a neat explanation, the survey describes several things going wrong at once: geopolitics, repeated cyber incidents, and attack tooling that's now easy to obtain, with regulatory overload sitting in the background. Organizations are now juggling GDPR alongside a widening set of incident reporting regimes under laws such as NIS2 and DORA, which have raised the baseline for what needs to be disclosed – and how quickly.
[3]
[4]
Ross McKean, chair of DLA Piper's UK data, privacy, and cybersecurity practice, said that the numbers should be read as a warning, not just another set of stats. "Confirmation of such a significant increase in personal data breach notifications in black and white is, for me, the quieting canary," he said.
"Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organizations to optimize cyber defences and operational resilience."
[5]
On the enforcement side, the familiar names remain at the top of the leaderboard. Ireland once again dominates the tables, with aggregate fines issued by the Irish Data Protection Commission now reaching €4.04 billion since GDPR began, accounting for well over half of all fines issued across Europe during that period. France and Luxembourg are next in line, but a long way back, showing how much of GDPR enforcement is being driven by a small number of regulators.
[6]Probably not the best security in the world: Carlsberg wristbands spill visitor pics
[7]EU offers UK early gift: Data adequacy until 2031
[8]Europe gets serious about cutting digital umbilical cord with Uncle Sam's big tech
[9]UK pushes ahead with facial recognition expansion despite civil liberties backlash
Ireland also handed down the biggest single penalty of 2025, [10]a €530 million fine against TikTok over unlawful international data transfers. That still wasn't enough to unseat the current record, set two years earlier when regulators [11]hit Meta with a €1.2 billion sanction . Big tech remains the favorite target, with DLA Piper noting that nine of the ten largest GDPR fines on the books have landed there.
Seven years in, and GDPR appears to be finding its stride. The penalties are routine, the breach reports are back on the rise, and the paperwork is as relentless as ever. ®
Get our [12]Tech Resources
[1] https://www.dlapiper.com/en-ro/insights/publications/2026/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2026
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXJXwP2A38S0UGJNH_nIIgAAA0w&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/16/carlsberg_experience_vulnerability/
[7] https://www.theregister.com/2025/12/22/eu_uk_data_adequacy/
[8] https://www.theregister.com/2025/12/22/europe_gets_serious_about_cutting/
[9] https://www.theregister.com/2025/12/05/uk_cops_facial_recognition/
[10] https://www.theregister.com/2025/05/02/tiktok_gdpr_fine/
[11] https://www.theregister.com/2023/05/22/dpc_fines_meta_12b_tells/
[12] https://whitepapers.theregister.com/
Re: But how many have been paid?
Pickle Rick
And where do the DollarPounds come from? Tax payers or customers ultimately. Not sure fines are the best way, in totality.
Prison for the worst offenders? I'd say so, but that costs money too. In business, those that breech regulations are prohibited from holding certain positions, eg. cannot be a company director, yet CxOs can jump ship with a golden parachute, become an MP (maybe even a PM[1]), switch to a company in a different country and just jump around. Without a genuine cross border agreement that "this should not happen", there's only so much. I won't work with unethical fuck pigs, others have a different outlook.
[1] Tony Blaaaargh + Oracle still fucking around with ID shit - FRO
Puzzled Old Codger Here.....
Anonymous Coward
Yup.....1.2 billion Euros in fines.
But what about TAXPAYERS picking up the slack for LOUSY cybersecurity?
I'm thinking about the 1.5 billion pound loan TAXPAYERS under-wrote to help Jaguar Land Rover (and Tata Consulting) recover from a HUGE hack.
Perhaps someone on the ElReg reporting team will research HOW MUCH MORE money TAXPAYERS are committing caused by LOUSY security.
Sounds like GDPR fines might be SMALLER than other TAXPAYER commitments! If correct, it would turn out that GDPR IS A JOKE!
I think we should be told!
Re: Puzzled Old Codger Here.....
Anonymous Coward
See also: https://www.theregister.com/2026/01/22/financial_sector_cyber_gap/
But how many have been paid?
Great issuing fines but have they actually been paid? Or are they just being ignored?
And where does the money go if and when collected?