GDPR Enforcement in 2025: €1 Billion in Fines, TikTok's €530M Penalty, and What US Companies Keep Getting Wrong

The number everyone in compliance cites is Meta’s €1.2 billion. But that fine came down in 2023. Two years later, GDPR enforcement didn’t slow — it compounded.

In 2025 alone, regulators across Europe issued over €1 billion in new GDPR penalties. TikTok was fined €530 million by Ireland’s Data Protection Commission for transferring EU user data to China. LinkedIn paid €310 million for running behavioral advertising on a legal basis that didn’t hold up. Google racked up its third escalating fine from France’s CNIL — €325 million, up from €150 million two years prior. The escalation on Google is deliberate: regulators treat repeat offenders as having received sufficient warning.

Eight of the ten highest GDPR fines ever issued have landed on US-based companies, totaling approximately €3.9 billion — nearly 63% of all GDPR penalties since the regulation took effect in 2018. If your company processes personal data of EU residents and your compliance posture still treats GDPR as a European problem, you’re misreading the enforcement record.

TL;DR

• GDPR fines exceeded €1 billion in 2025 alone; cumulative total surpasses €7.1 billion across 2,800+ penalties.
• TikTok’s €530M fine (May 2025) was driven by unlawful data transfers to China and transparency failures — not a breach event.
• Eight of the ten largest GDPR fines ever went to US companies, totaling ~€3.9 billion (63% of all fines).
• The three dominant enforcement themes: cross-border data transfer failures, invalid legal basis for processing, and consent dark patterns.
• US companies processing EU user data are in scope regardless of where they’re incorporated or where their servers are.

Why 2025 Was Different

GDPR went into effect in May 2018, but the early enforcement years were relatively measured. Regulators were building investigative infrastructure. Cross-border coordination between supervisory authorities was slow. Many organizations filed compliance documentation and waited to see if anything happened.

What changed after 2022: enforcement matured. Coordination mechanisms between national data protection authorities (DPAs) improved. The GDPR Enforcement Tracker now catalogues over 2,800 fines. More than 60% of the cumulative fine total has landed since January 2023. Regulators in Germany, France, Italy, and Spain are actively pursuing their own investigations rather than waiting for Ireland’s DPC to act on Big Tech.

The practical implication: GDPR enforcement is no longer concentrated in Dublin. A French, German, or Dutch DPA can investigate a US company with EU users, and has done so repeatedly. Clearview AI — the US facial recognition firm — was fined €30.5 million by the Dutch DPA in 2024 without having a European office at all.

TikTok’s €530 Million Fine: What the Transfer Risk Actually Looks Like

On May 2, 2025, Ireland’s Data Protection Commission issued a €530 million fine against TikTok — the third largest GDPR penalty ever — after a multi-year inquiry into whether TikTok was adequately protecting EU users’ data from access by Chinese authorities.

The fine breaks down:

• €485 million for violations of Article 46(1) — transferring EEA user data to China without adequate safeguards
• €45 million for transparency failures — inadequate disclosure to users about data processing practices

The core legal problem wasn’t that TikTok was moving data to China. It was that TikTok couldn’t demonstrate that Chinese data protection standards were equivalent to EU standards, or that EU user data would be protected from access under Chinese anti-terrorism and counter-espionage laws. Executing Standard Contractual Clauses doesn’t resolve that question — it just documents the commitment. The inquiry asked whether the commitment meant anything in practice.

The compounding factor: during the inquiry, TikTok initially stated it did not store EEA user data in Chinese servers. In April 2025 — months before the fine was issued — TikTok disclosed that limited EEA data had in fact been stored in China. The transparency fine reflects, in part, this discrepancy.

Practitioner takeaway: “We have SCCs in place” has been an acceptable answer to transfer questions for years. It is no longer sufficient. Post-Schrems II, and now post-TikTok, the question is: can you demonstrate that the data destination’s legal environment provides protections equivalent to the EU’s? For data going to the US, the EU-US Data Privacy Framework provides that answer. For data going to China, it’s a much harder question — one TikTok couldn’t answer satisfactorily.

LinkedIn’s €310 Million: The Legal Basis Problem

In October 2024, the Irish DPC fined LinkedIn €310 million following an investigation into behavioral advertising practices. The violations:

1. Insufficient legal basis — LinkedIn had been relying on “legitimate interests” and “contractual necessity” as the legal basis for processing behavioral advertising data. The DPC found neither applied.
2. Invalid consent — where LinkedIn did rely on consent, the DPC found it didn’t meet GDPR’s requirements: it wasn’t specific, informed, or freely given.
3. Transparency failures — LinkedIn’s privacy notices didn’t adequately explain how personal data was used for advertising.

The legal basis issue matters for any company running targeted advertising or behavioral analytics on EU users. GDPR Article 6 requires a specific, applicable lawful basis for every processing activity. The six options — consent, contract, legal obligation, vital interests, public task, legitimate interests — are not interchangeable. Legitimate interests requires a documented balancing test showing your interests genuinely outweigh data subjects’ privacy interests. “We want to improve our products” doesn’t clear that bar for behavioral advertising.

The Google Escalation Pattern: Repeat Violations Get More Expensive

France’s CNIL has now fined Google three times for substantially the same underlying conduct — cookie consent flows that don’t give users a genuine choice:

This isn’t coincidence. Regulators explicitly calibrate repeat-offense penalties as an escalating deterrent. The logic: a first violation demonstrates non-compliance; a second demonstrates you received the notice and didn’t fix it; a third demonstrates you assessed the cost-benefit and concluded continued non-compliance was cheaper than remediation. The fine is designed to break that calculus.

For compliance teams, the lesson is procedural: document your GDPR gap assessments, document your remediation timelines, and close findings before they become evidence of knowing disregard.

The Three Enforcement Themes to Understand

1. Cross-Border Transfer Failures (Articles 44–49)

GDPR restricts transfers of EU personal data to countries outside the EU/EEA unless one of three conditions is met:

• The destination country has an adequacy decision (the EU has declared its data protection laws equivalent)
• You use an approved transfer mechanism — most commonly Standard Contractual Clauses (SCCs)
• One of the narrow derogations applies (specific consent, vital interests, etc.)

For US companies, the EU-US Data Privacy Framework is the cleanest path. The DPF was established in July 2023 after the Schrems II ruling invalidated the previous Privacy Shield. Certification is through the US Department of Commerce at dataprivacyframework.gov. If your company is DPF-certified and transfers data to your US systems, that transfer has legal cover.

Companies not enrolled in DPF must use SCCs — plus, in many cases, a Transfer Impact Assessment (TIA) documenting your analysis of the destination country’s legal environment. Meta’s €1.2 billion fine was largely premised on the argument that no TIA could make US government surveillance laws compatible with GDPR requirements. That legal argument is still contested, but it’s the enforcement environment you’re operating in.

2. Invalid Legal Basis (Article 6)

Every processing activity requires a lawful basis. The two most commonly misapplied:

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent (consent to everything or nothing), or access denial unless consent is given (“consent walls”) don’t satisfy this standard. GDPR consent is also revocable — your system must support revocation as easily as it supports giving consent.

Legitimate interests requires a three-part balancing test: purpose test (is your interest legitimate?), necessity test (is processing necessary for that purpose?), and balancing test (do your interests override the data subject’s rights?). The balancing test must be documented before processing begins. Filling it in after an inquiry starts is not compliant.

3. Consent Dark Patterns

The European Data Protection Board published guidelines on dark patterns in 2022. Enforcement is now catching up with the guidance.

Dark patterns in consent flows regulators are actively investigating:

• Prominence asymmetry: “Accept all” in bright color, “Reject” in grey text or buried two clicks deeper
• Interface interference: Cookie banners that reappear despite a user’s rejection
• Bundling: Checkbox that accepts both necessary and optional cookies simultaneously
• Deceptive framing: “Improve our services” as the description for behavioral advertising

If your consent management platform was configured in 2020 and hasn’t been reviewed since, it almost certainly has patterns that current enforcement guidance flags.

What US Companies With EU Users Actually Need to Assess

Records of Processing Activities (RoPA)

Article 30 requires a written record of all processing activities. For data controllers with 250+ employees, this is mandatory regardless of risk level. Below 250 employees, it applies to processing that is likely to result in risk to individuals, is not occasional, or involves special categories of data (health, biometric, etc.).

The RoPA must document: what data you collect, why, the legal basis, who it’s shared with, retention periods, and transfer mechanisms. If you can’t answer a supervisory authority’s inquiry questions from your RoPA, that’s evidence of inadequate compliance infrastructure.

Transfer Mechanism Review

Before your next board compliance report, answer these questions:

1. Are you enrolled in the EU-US Data Privacy Framework?
2. If not, what SCCs are in place, and have you completed Transfer Impact Assessments for each data flow?
3. Which of your vendors and sub-processors are receiving EU personal data, and under what transfer mechanism?

For vendor/processor management, your third-party risk management framework should be mapping which processors receive EU data and verifying they have appropriate transfer mechanisms in their own sub-processor chains.

Article 28 Data Processing Agreements

Any vendor that processes EU personal data on your behalf is a “data processor” under GDPR. Article 28 requires a written data processing agreement (DPA) with every processor. These aren’t boilerplate — they must include: processing scope and purpose, security requirements, sub-processor provisions, data breach notification obligations, audit rights, and data return/deletion obligations at contract end.

Review your vendor contracts. Most SaaS vendors now have GDPR DPAs available on request or through their legal documentation pages. If a vendor with access to EU personal data doesn’t have one, that’s a compliance gap today.

Consent Mechanism Audit

Test your own consent flows from an EU IP address or use a VPN. Ask:

• Is rejecting cookies as easy as accepting them?
• Does rejection actually prevent non-essential tracking, or does it just change consent status in a database?
• Can a user withdraw consent as easily as they gave it?
• Does your privacy notice accurately describe what behavioral advertising processing occurs?

The CCPA and CPRA have pushed US companies toward better consent infrastructure — but the California privacy enforcement landscape still lags behind GDPR in teeth. Companies that built consent flows to pass California requirements may still have GDPR gaps.

So What? The Practical Checklist

GDPR compliance for a US company with EU users isn’t a one-time project — it’s a program. But if you’re starting from nothing or conducting a gap review, here’s where to focus:

The companies getting fined aren’t all operating in bad faith. Many built reasonable programs in 2018 and haven’t kept them current. GDPR enforcement has matured faster than most compliance calendars. The TikTok fine, the LinkedIn fine, and Google’s third penalty all share a common thread: the regulator looked closely, found a gap, and issued a penalty calibrated to make compliance cheaper than continued non-compliance.

The GLBA and state privacy law patchwork adds another layer of complexity for US companies — but GDPR’s global reach means it applies regardless of which US states your customers are in. If you have EU users, you have GDPR exposure.

That exposure is finite and manageable. The DPF, SCCs with proper TIAs, clean consent flows, and Article 28 DPAs cover most of the enforcement surface. The companies still getting fined in 2025 aren’t being surprised — they’re being caught having made a deliberate or negligent choice not to close known gaps.

Sources: Irish DPC TikTok Decision (May 2025) · GDPR Enforcement Tracker · Surfshark GDPR Fines 2025 Research · EU-US Data Privacy Framework · Privacy Pillar: GDPR Fines in 2025