GDPR Enforcement in 2026: The Biggest Fines, What's Being Targeted, and What US Companies Keep Getting Wrong

TL;DR

• GDPR cumulative fines have crossed €7.1 billion. Enforcement is accelerating, not stabilizing — eight fines exceeding €50 million were issued in early 2026 alone.
• The top enforcement targets: unlawful cross-border data transfers (TikTok €530M), invalid consent for behavioral advertising (LinkedIn €310M), and dark patterns (Google €100M France).
• The EU-US Data Privacy Framework remains legally uncertain under the current US administration, reviving transfer mechanism risk for US multinationals relying on it.
• EDPB’s 2026 coordinated enforcement focus is transparency — every DPA in the EU is auditing privacy notices simultaneously.
• The most common US company mistakes: relying on SCCs without Transfer Impact Assessments, overusing legitimate interest, and treating GDPR as a 2018 project they’ve already finished.

“We did GDPR in 2018” is one of the most dangerous things a compliance officer can say. It means your privacy notice hasn’t been updated since the regulation took effect, your transfer impact assessments don’t exist, and your legal bases for data processing were set when “legitimate interest” was still an easy answer. It means you’ve been coasting — and European Data Protection Authorities have been taking notes.

GDPR enforcement has crossed €7.1 billion in cumulative fines. The annual pace is accelerating: 2025 alone produced €1.2 billion in fines, and the first six weeks of 2026 saw enforcement decisions surpass all of 2023 in total value. The average fine has quadrupled since 2021, from €2.3 million to €8.7 million. This is not a framework still finding its footing. The grace period ended years ago.

If your organization processes EU personal data — and if you have EU customers, EU employees, or EU website visitors, you almost certainly do — here is what the enforcement landscape actually looks like in 2026.

The Scoreboard: Fines That Moved the Needle

The €1.2 billion Meta penalty issued by Ireland’s Data Protection Commission in 2023 remains the record single fine. Meta was found to have unlawfully transferred EU user data to the United States following the Schrems II ruling, relying on transfer mechanisms that DPCs had already flagged as inadequate. Meta paid and appealed.

Since then, the enforcement pace has not slowed.

The Ireland DPC’s outsized role is structural: most major US tech companies route their EU operations through Ireland, making the DPC their lead supervisory authority under GDPR’s one-stop-shop mechanism. When the DPC acts, it acts against the largest targets.

Luxembourg’s CNPD issued a €746 million fine against Amazon Europe Core in 2021 for processing personal data for advertising without proper consent. That fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026 and sent back to the CNPD for reconsideration — an important reminder that GDPR enforcement goes through administrative and judicial channels that can take years to resolve.

What DPAs Are Targeting in 2026

Data Transfers: Still the Mega-Fine Driver

The TikTok €530 million penalty (May 2025) is the clearest statement DPAs have made about cross-border transfers post-Schrems II. The Irish DPC found that TikTok had transferred EEA user data to China — where it was accessible to Chinese staff — without adequate safeguards. Standard Contractual Clauses were in place, but TikTok had not conducted adequate Transfer Impact Assessments to evaluate China’s surveillance legal regime and whether it provided essentially equivalent protection to the GDPR.

The lesson: SCCs are a legal mechanism, not a compliance answer. They require a parallel TIA demonstrating that the transfer can be made safely given the recipient country’s laws. For data flowing to China, DPAs have made clear they believe TIAs will rarely support the adequacy conclusion.

Consent and Legal Basis: The Behavioral Advertising Crackdown

LinkedIn’s €310 million fine (October 2024) came down to legal basis: LinkedIn was processing personal data for behavioral advertising using a combination of consent, contract necessity, and legitimate interest — none of which the Irish DPC found valid for that purpose. The DPC concluded that LinkedIn lacked any lawful ground for processing data for targeted advertising.

This isn’t an isolated action. It mirrors the pattern from Meta, Google, and WhatsApp. DPAs across Europe have consistently rejected the argument that legitimate interest can support behavioral advertising without clear, specific justification that actually outweighs users’ fundamental rights and freedoms. If your legal basis for any advertising or profiling activity was set by a lawyer in 2018 and never reviewed, review it now.

Dark Patterns: Interface Design Is a Compliance Problem

France’s CNIL issued a €100 million fine against Google for making cookie rejection harder than acceptance — a dark pattern in cookie consent UI. The standard the CNIL established is essentially that accepting and rejecting cookies must require the same number of clicks. Burying the reject option, using prominent “Accept” buttons alongside small “Manage Preferences” links, or defaulting to consent — all of this is now actionable in France and most other EU jurisdictions following similar DPA guidance.

Dark pattern enforcement has expanded significantly since the CNIL action. Design choices — color, layout, default states, button prominence — are now compliance decisions, not just UX decisions.

AI Data Processing: The Garante Moves First

Italy’s Garante fined Replika’s maker Luka Inc. €5 million in 2025 for GDPR violations related to AI data processing — specifically around consent for processing special category data and lack of transparency about how user conversations trained AI models. Italy has consistently moved faster than other DPAs on AI-related GDPR enforcement, acting ahead of the EU AI Act’s formal enforcement timeline.

For any organization using generative AI tools that process personal data — which includes most enterprise AI deployments — the Garante’s enforcement is a preview of where scrutiny is heading. The intersection of GDPR and AI obligations is explored further in AI and Consumer Data Rights: What State Privacy Laws Require.

The 2026 Coordinated Enforcement Theme: Transparency

The European Data Protection Board designated transparency and information provision as its 2026 coordinated enforcement focus. This means every national DPA — all 46 of them — is simultaneously investigating how organizations communicate data processing practices to individuals.

In practice: auditors are reviewing privacy notices for clarity, completeness, accessibility, and whether they can actually be read before data collection begins. They’re checking whether privacy notices describe data subjects’ rights clearly, whether retention periods are specified, and whether they adequately describe transfers to third parties and third countries.

Organizations with privacy notices that haven’t been materially updated since 2018, that are buried in sites’ footers behind three clicks, or that use opaque language about “business partners” without specifics — those are the targets. Expect enforcement waves from DPAs across Europe in late 2026 and 2027 based on the findings from these coordinated audits.

The US Company Problem: Four Gaps That Keep Getting Companies Fined

1. Relying on SCCs Without Transfer Impact Assessments

The post-Schrems II world requires more than signing Standard Contractual Clauses and calling data transfer compliance done. DPAs — particularly France’s CNIL in January 2025 guidance — have made clear that TIAs must: document the specific laws and surveillance practices of the recipient country, assess the real-world risk of government access to transferred data, and identify specific supplementary technical and organizational measures that meaningfully reduce that risk.

For US-bound transfers, the EU-US Data Privacy Framework provides an adequacy mechanism that eliminates the need for SCCs or TIAs — if your US company is certified. But the DPF’s stability is not guaranteed (more on that below). Companies relying on SCCs for EU-US transfers without documented TIAs are running the same risk TikTok ran for China transfers, just at a lower likelihood of enforcement.

2. Overusing Legitimate Interest

Legitimate interest (Article 6(1)(f)) requires a three-part test: a legitimate purpose, necessity (that you can’t achieve the purpose less intrusively), and a balancing test (that your interests don’t override the data subject’s rights and freedoms). DPAs have consistently found that behavioral advertising and profiling fail this test. So do pre-emptive data retention for potential regulatory requests, scraping personal data without notice, and processing beyond the scope of the original purpose.

The bar is not zero. Legitimate interest is valid for fraud prevention, IT security, certain marketing activities, and intra-group data sharing where individuals have a reasonable expectation. But it cannot be used as a default when you don’t want to ask for consent, and it requires documentation of the balancing test — not just a checkbox.

3. No Transfer Impact Assessments for Third-Party Vendors

Organizations frequently focus GDPR compliance effort on their own data processing activities and forget that data processors — cloud vendors, analytics tools, CRM platforms, HR software — also transfer data. Every vendor contract that involves EU personal data needs a Data Processing Agreement. Every DPA that involves transfer to a non-adequate third country needs a TIA. Most organizations have the DPAs; most do not have the TIAs.

This gap compounds: your vendor’s subprocessors create fourth-party transfer exposure. If your cloud vendor uses a US analytics subprocessor, that’s a transfer chain that runs through your DPA but may not have an adequate TIA. The complete vendor risk management process covers how to systematically audit the vendor chain for data processing and transfer gaps.

4. Treating GDPR as a Finished Project

GDPR compliance is an operational obligation, not a 2018 implementation. Records of processing activities must stay current as new processing activities are added. Vendor agreements must be reviewed when vendors update their terms or subprocessors. Privacy impact assessments must be conducted for new high-risk processing. Legal bases must be re-evaluated when the purpose or context of processing changes. The Regulation requires this. Examiners assess whether it’s actually happening.

The EU-US Data Privacy Framework: Read the Risk

The EU-US Data Privacy Framework, launched in July 2023 after the invalidation of Privacy Shield, provides an adequacy decision for US companies that self-certify with the US Department of Commerce. For US companies relying on DPF certification instead of SCCs, it eliminated the need for TIAs on EU-US transfers.

That mechanism is now under political pressure. The new US administration’s posture toward EU-US regulatory arrangements has raised uncertainty about whether the DPF will survive a legal challenge — an NOYB-filed case against the DPF is pending before the CJEU. A legal challenge that parallels Schrems I and Schrems II is structurally possible.

Organizations that moved from SCCs to DPF certification should maintain their SCC infrastructure and TIA documentation. If the DPF is invalidated, the fallback timeline will be short. Companies caught without a valid alternative mechanism will face the same situation that triggered the Meta €1.2 billion fine.

So What Does This Mean For Your Privacy Program?

US state privacy enforcement is moving in a parallel direction — the California Privacy Protection Agency’s 2025 enforcement actions show how aggressively state-level regulators are applying similar principles to data brokers and consumer analytics. GDPR enforcement in 2026 is not a European problem for European companies. Most of the significant fines have been against US-headquartered companies — Meta, Google, TikTok. The enforcement vehicle is the EU presence (a subsidiary, a representative, an EU data controller), but the compliance failures traced back to global practices.

Four things to do now:

Audit your transfer mechanisms. For every EU-US or EU-to-third-country transfer: is your mechanism current? If DPF, are you certified and is certification current? If SCCs, do you have a documented TIA? If no TIA exists, build one before you need to defend it.

Review your legal bases. If you’re relying on legitimate interest for any advertising, profiling, or data retention activity, run the balancing test explicitly and document it. If the result is uncertain, consent may be the only defensible basis.

Overhaul your privacy notice. If it hasn’t been materially updated since 2018, it almost certainly doesn’t meet current DPA expectations. The EDPB’s 2026 enforcement focus means this is not abstract.

Map your vendor chain. Confirm that every data processor has a DPA. For processors in non-adequate countries, confirm that transfer mechanisms and TIAs exist. This includes subprocessors.

The organizations that treated GDPR as a one-time project are the ones funding the €7.1 billion enforcement total. The organizations running GDPR as a living program are mostly not on that list.

The Data Privacy Compliance Kit includes a GDPR Transfer Impact Assessment template, Data Processing Agreement checklist, Records of Processing Activities template, and a 19-state US privacy law applicability matrix — updated for 2026.

Sources:

• GDPR Enforcement Tracker — comprehensive database of GDPR fines by country and company
• EDPB Coordinated Enforcement Framework 2026: Transparency and Information Provision
• Ireland Data Protection Commission: TikTok Decision Summary, May 2025
• France CNIL: Transfer Impact Assessment Guidance, January 2025
• IAPP: EU-US Data Privacy Framework Resources and Legal Challenge Updates