TikTok fine of €530m the largest handed out by DPC last year
Pro
Image: Mikhail Nilov via Pexels
GDPR enforcement across Europe remained consistently high throughout 2025, with regulators issuing fines totalling approximately €1.2 billion, in line with the previous year, according to the annual GDPR Fines and Data Breach Survey by global law firm DLA Piper.
The largest fine of the year was imposed by the DPC in April 2025, when it issued a €530 million sanction against TikTok for breaching GDPR’s international data transfer rules. The decision is particularly notable not only for its scale, but because it represents the first major GDPR enforcement relating to transfers of personal data to China, underscoring the global reach of enforcement.
Aggregate fines issued by the Irish Data Protection Commission have now reached €4.04 billion since 2018. The figure should come as no surprise as under the General Data Protection Regulation companies are pursued for breaches in the country where their European office is based. In many cases this is Ireland and the Data Protection Commission has come under repeated criticism from EU member states for its slow pace. The DPC has also been criticised for siding with Big Tech against consumers. Last year the European Court of Justice ruled against Ireland for its defence of Facebook, Instagram and WhatsApp’s (now a combined entity, Meta Platforms) in the processing of “special data” such as race, ethnicity, political leanings, and religious beliefs for ad targeting.
France overtook Luxembourg to become the second-largest enforcer overall in 2025, and is now the only other European country, after Ireland, to have issued more than €1 billion in GDPR fines since 2018.
A new era of cyber threat realised
The report also highlighted a sharp escalation in cyber risk across Europe. Between 28 January 2025 and 27 January 2026, average personal data breach notifications rose by 22%, reaching 443 per day. This marks a clear departure from the plateau seen in recent years and reflects an increasingly hostile cyber threat landscape.
Notably, Ireland diverged from the European trend, recording only a modest 3% increase in breach notifications over the same period.
Authorities also continued to focus heavily on compliance with the lawfulness, fairness and transparency principle, as well as on the security of personal data, with a number of significant fines imposed for failures in technical and organisational measures.
Partner and global co-chair data, privacy and cybersecurity group John Magee said: “This year’s figures make clear that GDPR enforcement shows no sign of slowing. While the total value of fines held steady, regulators remain willing to impose substantial monetary penalties, despite ongoing criticism from outside the EU. Ireland’s Data Protection Commission remains Europe’s pre-eminent enforcer by some distance. The €530 million fine – the largest imposed anywhere in Europe in 2025 and a landmark ruling on non-US data transfers – underlines the DPC’s central role in shaping how GDPR is enforced globally.
“The large uptick in personal data breach notifications across Europe is reflective of an increasingly risky cyber security threat landscape fuelled by heightened geopolitical tensions and high-profile cyberattacks. Ireland’s divergence from this trend in 2025 may reflect an increased hesitancy among businesses to report incidents rather than substantive improvement in underlying security. Either way, coupled with a slew of new EU cybersecurity laws, some of which impose personal liability on directors, our report underscores the need for organisations to strengthen their cyber defences and improve operational resilience.”
TechCentral Reporters