John Magee

The eighth edition of the global law firm’s annual GDPR fines and data breach survey reveals that GDPR enforcement across Europe remained consistently high throughout 2025, with regulators issuing fines totalling approximately €1.2 billion, in line with the previous year.

While this represents no year-on-year increase in the total value of fines imposed, it does not signal a slowdown in enforcement, the report says.

Instead, the firm says it reflects a sustained and deliberate level of regulatory activity, underlining the continued willingness of European data protection authorities to impose substantial monetary penalties despite ongoing criticism of the EU’s regulatory approach.

Aggregate fines issued by the Irish Data Protection Commission have now reached €4.04 billion, reinforcing Ireland’s position as the EU’s pre-eminent data protection regulator, the report notes.

The largest fine of the year was imposed by the DPC in April 2025, when it issued a €530 million sanction against a social media company for breaching GDPR’s international data transfer rules.

The report says the decision is particularly notable not only for its scale, but because it represents the first major GDPR enforcement relating to transfers of personal data to a non-US third country, underscoring the global reach of enforcement.

France overtook Luxembourg to become the second-largest enforcer overall, and is now the only other European country, after Ireland, to have issued more than €1 billion in GDPR fines since 2018.

The report also highlights a sharp escalation in cyber risk across Europe. Between 28 January 2025 and 27 January 2026, average personal data breach notifications rose by 22 per cent, reaching 443 per day.

This marks a clear departure from the plateau seen in recent years and reflects an increasingly hostile cyber threat landscape, according to the firm.

Set against a backdrop of geopolitical instability, AI-enabled threat actors and high-profile cyber incidents, the increase, it says, points to a growing need for organisations to prioritise security and operational resilience.

Notably, Ireland diverged from the European trend, recording only a modest three per cent increase in breach notifications over the same period.

The Netherlands, Germany and Poland continued to report the highest volumes of breaches overall.

While large technology and social media companies continue to attract the highest fines, regulators are increasingly scrutinising a wider range of sectors, including financial services, telecommunications, utilities and technology services providers.

Authorities also continued to focus heavily on compliance with the lawfulness, fairness and transparency principle, as well as on the security of personal data, with a number of significant fines imposed for failures in technical and organisational measures.

John Magee, partner and global co-chair of DLA Piper’s data, privacy and cybersecurity group, said: “This year’s figures make clear that GDPR enforcement shows no sign of slowing.

“While the total value of fines held steady, regulators remain willing to impose substantial monetary penalties, despite ongoing criticism from outside the EU.

“Ireland’s Data Protection Commission remains Europe’s pre-eminent enforcer by some distance. The €530 million fine — the largest imposed anywhere in Europe in 2025 and a landmark ruling on non-US data transfers — underlines the DPC’s central role in shaping how GDPR is enforced globally.

“The large uptick in personal data breach notifications across Europe is reflective of an increasingly risky cybersecurity threat landscape fuelled by heightened geopolitical tensions and high-profile cyberattacks.

“Ireland’s divergence from this trend in 2025 may reflect an increased hesitancy among businesses to report incidents rather than substantive improvement in underlying security.

“Either way, coupled with a slew of new EU cybersecurity laws, some of which impose personal liability on directors, our report underscores the need for organisations to strengthen their cyber defences and improve operational resilience.”