It has been seven years since the General Data Protection Regulation (GDPR) came into force, setting in motion the European Union's commitment that it will not compromise when it comes to the protection of personal data in a fast-changing digital world. Now, in 2025, the consequences of non-compliance are more visible than ever. With fines surpassing €5.65 billion as of March 2025, the GDPR sets a clear message, that non-compliance with the provisions of the regulation brings stronger enforcement, precedent-setting cases, and it is a signal to tech giants that European regulators are willing to act decisively.
A Surge in Penalties
The past 18 months have shown the most notable increase in fines that occurred, with regulators imposing significant financial penalties on major technology firms, particularly those handling vast amounts of user data across borders. The Irish Data Protection Commission (DPC), which is responsible for the supervision of some of the biggest tech giants that are based in Europe, and due to Ireland's role as a European tech hub, has been particularly active.
In May 2025, TikTok received a staggering €530 million fine for unlawfully transferring user data from the EU to China and for failing to guarantee and demonstrate that the personal data of EEA users, accessed in China, was afforded a level of protection which is equivalent to the EU and GDPR standards. Moreover, TikTok did not adhere to the transparency requirements under the GDPR by failing to provide sufficient information about such transfers of personal data to China in its privacy policy/notices. Therefore, the assumption that no one reads privacy policies or terms and conditions is not an excuse for lack of transparency regarding how an organization processes personal data, and it will not exempt an organization from liability from such unlawful practices. The DPC's investigation revealed that TikTok's handling of European users' data violated several core GDPR principles, particularly transparency, data minimization, and lawful basis for processing.
Similarly, Amazon lost its legal battle against a record €746 million fine imposed by Luxembourg's CNPD. This case concerned how Amazon targeted users with personalized ads, with regulators finding that the company lacked valid user consent for its data profiling practices. This is a significant example for preventing tech firms harvesting users' personal data unlawfully and using them for financial gain at the user's expense.
These headline-grabbing fines are not isolated cases—they reflect a broader trend of tougher enforcement and mounting pressure on companies to take data protection seriously.
Changing Enforcement Climate
The GDPR allows for administrative fines of up to €20 million or 4% of a company's annual global turnover, whichever is the higher. For years, critics argued that regulators were too slow or too lenient in applying these powers. That criticism is now harder to sustain.
The increasing scale of the penalties demonstrates that regulators are maturing in their enforcement strategies. Over the last 7 years, since the GDPR implementation, interpretation from cases heard at the EUCJ and guidance from the European Data Protection Board helped clarify certain grey areas of the regulation so that the regulators have now a clearer path to set their enforcement powers in motion.
While the spotlight of enforcement is usually on major tech firms that dominate the headlines, medium-sized businesses are not immune to the regulators' scrutiny, especially in sectors like online advertising and ad-tech, healthcare and research, and finance, where large volumes of personal data are being processed and data-handling practices often involve high risks for individuals.
Legal Pushback and Compliance Challenges
As expected, many of these fines are met with appeals. Large corporations argue that regulators are overreaching, that interpretations of 'legitimate interest' and 'consent' are too restrictive, thereby obstructing global innovation and the open market.
It is no secret that, adherence to the provisions of the regulation presents a major compliance burden. Global trends show that there is a significant increase in investing in privacy technology, hiring data protection officers, and revising privacy and data protection compliance measures. Therefore, proactive data governance is quickly becoming a business imperative in a data-driven global market.
A Global Message
The European Union's approach to privacy is setting a global standard. As the fines grow, so does the international relevance of GDPR which has been one of the most notable examples of the "Brussels effect" across the globe. Countries around the world—from Brazil to India—are designing or updating their own data protection frameworks, often using the GDPR as a reference.
For multinational firms, this means that failing to comply with European data rules may not only result in large fines in the EU but could also create reputational damage and spark scrutiny in other jurisdictions.
Conclusion
The record fines of 2025 are more than punitive—they are symbolic. They demonstrate that the European Union remains committed to digital rights and that the GDPR, despite its challenges, is a living, evolving piece of legislation. As more and more human interaction takes place in the online universe, personal data processing becomes an extension of our autonomy and self-determination as individuals, which EU rules strive to protect.
As enforcement becomes more assertive, companies operating in Europe must treat data privacy not just as a legal requirement but as a core component of trust and corporate responsibility towards human rights and individual freedom.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
