Since the EU's implementation of the General Data Protection Regulation (GDPR) in May 2018, numerous fines have been issued for violations or non-compliance. Of these, the fine of 1.2 billion euros received by Meta Platforms, Inc. in May 2023 has been by far the greatest. The company was issued such a penalty for personal data transfers to the United States without sufficiently complying with the EU regulation.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

As of February 2025, the industry sector seeing the largest fines issued for General Data Protection Regulation (GDPR) violations, was media, telecoms and broadcasting. The industry has seen approximately four billion euros in fines, in total, since the enforcement of the law in 2018.

Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, the most significant fine issued in Germany was against the clothing company H&M (Hennes & Mauritz Online Shop) for recording and storing the personal life circumstances of its employees. The fine amounted to over 35,26 million euros and was issued in October 2020. In January 2021, a 10.4 million euros fine was imposed against the electronics retailer notebooksbilliger.de for video-monitoring its employees without a legal basis.

As of February 2025, Spain has imposed the highest number of GDPR fines. The 923 fines had a total amount of approximately 96 million euros in value. With 397 fines in total, Italy ranked second, followed by Germany, where data privacy authorities imposed a total of 203 fines.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Ireland has reported the highest amount of fines issued for violation of the EU regulation, with over 2.8 billion euros. Luxembourg ranked second, with around 746 million euros, while France followed, issuing 371.82 million euros of fines for GDPR violations.

The Italian electricity provider Enel Energia was fined 79.1 million euros by Italy's data privacy regulator, marking the highest fine ever issued in the country since the implementation of the General Data Protection Regulation (GDPR) in May 2018. Prior to this, the most significant fine was imposed in January 2020, when the telecommunications company Telecom Italia (TIM) was penalized 27.8 million euros, making it the second-largest GDPR-related fine in Italy.

In September 2024, TikTok was fined 345 million euros due to violations of the General Data Protection Regulation (GDPR) for reasons of non-compliance with general data processing principles. The highest GDPR penalty was in May 2023, when Meta recieved a fine of 120 billion euros on the grounds of insufficient legal basis for data processing.

In September 2024, the Irish Data Protection Commission fined Meta Ireland 91 million euros after passwords of social media users were stored in 'plaintext' on Meta's internal systems rather than with cryptographic protection or encryption. In May 2023, the EU fined Meta 1.2 billion euros for violating laws on digital privacy and putting the data of EU citizens at risk through Facebook's EU-U.S. data transfers. European privacy legislation is seen as being far stricter than American privacy law, and the sending of EU citizens’ data to the United States resulted in the record breaking penalty being issued to the tech giant. In January 2023, after it was discovered that Meta Platforms had improperly required that users of Facebook, Instagram, and WhatsApp accept personalized adverts to use the platforms, the company was issued a 390 million euro fine by the European Commission. EU regulators claim that the social media giant broke the General Data Protection Regulation (GDPR) by including the demand in its terms of service. In addition, Meta was fined 405 million euros by the Irish Data Protection Commission (DPC) in September 2022 for violating Instagram's children's privacy settings. In November 2022, the DPC fined Meta a further 265 million euros for failing to protect their users from data scraping. GDPR violations in 2022 Social media sites and companies are not the only types of online services upon which users' data can potentially be compromised. In 2022, the online service with the biggest fine for violating GDPR was e-commerce and digital powerhouse Amazon, which was issued a 746 million euro fine. Furthermore, in December 2021, Google was penalized 90 million euros for GDPR violations. What are the most common GDPR violations? Since GDPR went into effect in May 2018, fines have been imposed for a variety of reasons. As of June 2022, companies' non-compliance with general data processing principles accounted for the largest share of fines, resulting in over 845 million euros worth of penalties. Insufficient legal basis for data processing was the second most common violation, amounting to 447 million euros in fines.

Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, the most significant fine issued in Austria was against the Austrian Post. The imposed fine amounted to 9.5 million euros. For various violations of GDPR, the company Rewe International received an eight million euro fine, making it the second-highest penalty issued by the Austrian privacy regulator.

Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, the most significant fine issued in France was against Google LLC. The French data privacy regulator imposed this fine in December 2021 after receiving several complaints regarding cookie policies on the websites google.fr and youtube.com. Overall, among the ten highest fines issued for GDPR violations, three involved Google.

As of February 2025, the highest number of fines issued for General Data Protection Regulation (GDPR) violations in the European Union (EU) was due to insufficient legal basis for data processing. There were 672 fines based on this type of violation. Non-compliance with general data processing principles ranked second, with 629 cases.

As of June 2023, Spain was the European country to issue the largest number of GDPR violation fines - over 650. Italy followed, with the local authorities dispensing approximately 265 fines under the European Union general data protection regulation (GDPR). Applied from May 2018 onward, the GDPR is Europe's data protection law, and it is enforced within all the EU Member States.

As of February 2025, the industry sector seeing the highest number of fines issued for General Data Protection Regulation (GDPR) violations was industry and commerce. This industry has seen a total of 476 fines since the enforcement of the law in May 2018.

As of January 2025, the most significant data privacy violation fine worldwide was for social media giant Meta. In May 2023, the Data Protection Commission (DPC) of Ireland decided to fine the company with 1.2 billion euros or 1.3 billion U.S. dollars. The Chinese vehicle-for rent company Didi Global ranked second. In July 2022, China's data privacy regulator fined the company 8.026 billion Chinese yuan, or 1.19 billion U.S. dollars. The 2021 Amazon fine issued by Luxembourg's data privacy regulation authorities was 877 million U.S. dollars and was the third-biggest data breach fine as of the measured month. The 2019 fine of 575 million U.S. dollars to Equifax followed. In this incident, because of unpatched vulnerabilities, nearly 150 million people were affected, which caused the American consumer credit reporting agency to pay at least 575 million U.S. dollars.

As of January 2025, three organizations had received fines under the EU General Data Protection Regulation (GDPR) for transferring data outside the European Union. The highest penalty, with the amount of 1.2 billion euros, was imposed on Meta Platforms Ireland Limited by the Irish data privacy authority Data Protection Commission (DPC). The latest case of privacy complaint was on the 16th of January, 2025. In its complaint, the Austrian data privacy non-profit None of Your Business (noyb) addressed the data transfers from European Union by a few Chinese companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. As of late January 2025, the case was ongoing and the amount of fine is not available.

According to research conducted in October 2023, one-third of GDPR fines imposed against leading social media platforms were for misuse of children's data. The study found that Instagram saw the highest amount of fines for violating children's data privacy online, receiving 405 million euros of fines between May 2018 and October 2023. TikTok followed, with all its fines in the research period containing violation of children's online privacy.

During the first half of 2024, around 88 percent of cyberattacks carried out in Italy had cybercrime as a purpose. Cyber espionage was another motivation, representing the main reason behind roughly four percent of attacks. By contrast, information warfare only accounted for two percent of the cyberattacks in the country in the last examined period. Data breaches in Italy In 2023, over half of the Italian digital population was alerted that their personal data had been breached, and 77.5 percent of the alerted users had the misfortune of being affected by data compromise on the dark web. Despite a decrease in the number of data sets affected in data breaches between 2020 and 2023, Italy recorded almost one million exposed data sets at the beginning of 2023.Meanwhile, the average cost of data breaches for both Italian companies and targeted users kept growing, reaching 4.73 million U.S. dollars in 2024, up from the 3.86 million U.S. dollars recorded in the previous year. The Italian privacy landscape: GDPR effects As a state member of the European Union, Italy is covered by the General Data Protection Regulation (GDPR). Since 2018, the GDPR has regulated online data privacy and has the responsibility to represent consumers’ interests within the digital and tech landscape of the Union. As of 2023, approximately 265 fines were issued in Italy due to violations of the GDPR – making Italy the second country in Europe with the highest number of violations dispensed to tech companies. The highest GDPR fine ever issued in Italy was at the expense of Telecom Italia (TIM), one of the largest Italian telecommunications companies. TIM was fined approximately 27.8 million euros in January 2020. GDPR is enforced and helped by the country's Garante della Privacy, the national institution overseeing Italian users’ online rights, cybersecurity, and digital privacy.