From GDPR fines in the hundreds of millions to the first civil penalties ordered under Australia’s Privacy Act, Lexology PRO analyses data protection enforcement activity from 2025 to identify key risks and trends.
The data in this article is based on Lexology PRO’s Scanner, our automated regulatory monitoring tool covering 18 regulatory areas and tracking over 1500 regulatory sources. Full details on Scanner’s regulatory coverage can be found here.
Enforcement in this series includes any action regulators have taken as part of their enforcement powers, including active investigations, audits, decisions, fines, penalties, settlements, and/or orders. This report covers data – primarily agency announcements – released between 1 November 2024 and 1 November 2025.
Where did the most enforcement activity come from?
Overall, European data protection authorities (DPA) were responsible for the most enforcement activity between November 2024 and November 2025. The Romanian DPA was the most active in terms of volume, followed by the South Korean Personal Information Protection Commission (PIPC). The Irish and French DPAs administered the weightiest fines overall.
The Romanian DPA issued a large number of relatively minor penalties under EU General Data Protection Regulation, most commonly against companies for failing to maintain adequate security measures or prevent unauthorised access to personal data.
Similarly, the PIPC authorised several smaller fines – primarily against companies that failed to implement measures to protect personal data from cyberattacks. It also issued more notable fines, including against SK Telecom, and launched a number of investigations against companies suspected of privacy violations.
Tim Hickman, Partner at White & Case told Lexology PRO:
“The law continues to evolve, being shaped by both major court cases substantially affecting certain assumptions about the foundational concept of ‘personal data’ and enforcement cases. There are also legislative changes in the UK and proposed changes to EU GDPR. These developments have a material impact on companies’ compliance obligations, and the enforcement risks they face. Companies need to ensure that the keep up-to-date, and that they understand the business impact of these changes.”
The lack of transparency, failure to impose adequate security measures and failure to identify an appropriate lawful basis for processing were among the most common compliance failures companies were penalised for.
Lexology PRO has previously reported that Germany's state data protection authorities are highly active enforcers, but they typically rarely publicise their enforcement activity. Some examples of enforcement from German authorities include a fine against Vodafone earlier this year and investigations into Deepseek.
The UK Information Commissioner's Office
Many enforcement actions taken by the UK ICO focused on nuisance calls and other forms of marketing malpractice. It issued fines against companies that failed to establish sufficient security measures, leading to data breaches.
This included a £14 million (US$18 million) fine against Capita after hackers stole millions of customers’ information. According to the ICO, Capita failed to prevent privilege escalation, did not respond appropriately to security alerts, and its penetration testing and risk assessments were inadequate.
The ICO also fined 23andMe £2 million (US$3 million) and Advanced Computer Software Group £3 million (US$4 million) in separate instances for failing to adequately protect personal data following cyberattacks.
It is worth noting that Lexology PRO has recently reported that civil society groups have raised the alarm about a “collapse in enforcement activity” by the UK data regulator following its decision not to investigate the MOD Afghan breach.
Largest fines for online platforms and telcos
Online platforms Meta, Google and TikTok were subject to the most enforcement activity from DPAs globally; SK Telecom and Vodafone also faced numerous enforcement actions.
The French CNIL fined Google €325 million (US$376 million) in September 2025 for targeting account holders with advertisements and placing cookies without valid consent, in breach of the French Postal and Electronic Communications Code 1962.
Meanwhile, the Irish Data Protection Commissioner (DPC) fined TikTok €530 million (US$613 million) for transferring EU users’ personal data to China without appropriate safeguards in May 2025. The DPC remains a high-penalty enforcer, owing to the fact that it is home to the EU subsidiaries of Big Tech companies, including Google, TikTok, Meta and Amazon.
These fines are higher than the already substantial penalties issued against online platforms during the same period in the previous year, €310 million (US$359 million) and €290 million (US$336 million) against LinkedIn and Uber, respectively. Like TikTok, Uber was also fined for making unlawful international transfers of personal data, while LinkedIn’s penalty was for processing users’ data without a lawful basis.
The South Korean PIPC issued a ₩134.8 billion (US$93 million) fine against SK Telecom for failing to implement sufficient security measures, leading to a major data breach affecting over 23 million users. The company also failed to comply with data breach notification requirements.
Telecos also faced scrutiny in Europe. The German Federal Data Protection Commissioner (BfDI) imposed fines totalling €45 million (US$52 million) on Vodafone over security deficiencies in its authentication processes and for failing to adequately review and monitor partner agencies.
Enforcement against AI companies continues to grow
DPAs across the globe have increased scrutiny of AI companies as the adoption of the technology becomes much more widespread.
The Italian Garante has been particularly active, issuing fines of €5 million and €15 million against Replika and OpenAI, respectively, under the EU GDPR. The fine against Replika was for failing to identify a legal bases for processing users’ data, insufficient age verification measures and lapses in its privacy policy. OpenAI was penalised for the same reasons, in addition to failing to notify the Garante of a data breach.
In the UK, the Upper Tribunal handed down a judgment in October 2025, ultimately upholding the Information Commissioner’s Office’s (ICO) 2022 fine of £7.5 million against Clearview AI for scraping images of UK residents from the web and social media for facial recognition purposes.
Meanwhile, the US Federal Trade Commission launched an inquiry into AI chatbots acting as companions, following serious concerns about the risks the technology poses to children’s safety and privacy. The Italian Garante fined chatbot company Replika
These cases underscore the growing tension between regulators and technology providers, striking a balance between innovation and compliance.
Regional trends suggest enforcement is rising
Trends among national EU DPAs
There were several instances of EU DPAs imposing multi-million-euro fines, underscoring the regions’ status as a top privacy enforcement jurisdiction.
Shein was fined €150 million (US$174 million) by the French CNIL for placing cookies without consent and failing to adequately inform users about cookies, in violation of French Data Protection Act 2018.
The Dutch DPA (AP) fined Netflix €5 million (US$6 million) for not including sufficient information in its privacy statements about how customers’ data was processed, in breach of EU GDPR.
Meanwhile, the Polish DPA issued its highest GDPR fine to date, 16.1 million PLN (US$4 million) against McDonald’s, after employees’ personal data was exposed during a data breach at a third-party scheduling company.
On the EU DPAs enforcement activity, Adam Rose, Partner at Mishcon de Reya, said the following:
“European DPAs have indicated a shift towards tighter transparency enforcement, with the EDPB selecting transparency and information obligations under Articles 12 to 14 GDPR as the focus for its 2026 coordinated enforcement action.
The 2026 transparency initiative will likely involve mandatory questionnaires from national DPAs, examining how organisations inform individuals about data use, with potential investigations, formal warnings, compliance orders, or fines for deficient practices."
Enforcement trends in APAC
As more Asia-Pacific countries move to establish comprehensive data protection laws, enforcement in the region is set to rise.
October 2025 saw the first civil penalties issued under the Australian Privacy Act 1988: AUS$6 million (US$4 million) against Australian Clinical Labs following a data breach that exposed personal data to unauthorised access and exfiltration.
The Australian Information Commissioner also agreed to a AUS$50 million (US$33 million) payment programme as part of an enforceable undertaking against Meta in December 2024. The payment scheme is open to Facebook users impacted by the Cambridge Analytica scandal.
Among its most notable actions, other than against SK Telecom, South Korea's PIPC issued fines totalling over ₩8 billion (US$5 million) against Kakao Pay and Apple for unauthorised overseas transfers of personal data. It also fined Meta ₩22 billion (US$15 million) for processing sensitive user data without a valid legal basis.
Enforcement trends in the US
Federal-level enforcement in the US focused on children’s privacy and safety, particularly in relation to online platforms and technology companies.
A notable federal action came from the FTC, which reached a US$10 million settlement with Disney to resolve allegations that the company allowed children’s personal data to be collected from YouTube without notifying parents or obtaining their consent, as required under the Children’s Online Privacy Protection Act 1998 (COPPA). The US Department of Health and Human Services also took various actions, including those relating to data breach violations.
State level enforcement in the US came from the likes of the California Privacy Protection Agency, including the biggest financial settlement under the California Consumer Privacy Act in September against Tractor Supply. Enforcement from the offices of state attorneys general is also on the rise.
What can businesses expect from data privacy enforcement in 2026 and beyond?
DPAs are showing no signs of curbing their activity in 2026. There are expected reforms to the EU GDPR, and further provisions of EU AI Act 2024 will come into effect, which will have major implications for personal data processing.
Rohan Massey, Partner at Ropes & Gray said:
“Implementation of many of the provisions of EU AI Act throughout 2026 will change how regulators treat AI uses that process personal data, including high-risk systems, biometric processing and workplace monitoring. Expect DPAs to test AI systems for lawful basis, data protection impact assessments (DPIA), data minimisation and transparency. Using AI without proper lawful basis, DPIAs, accuracy controls or safeguards can trigger both AI Act and GDPR."
The European Commission presented its Digital Omnibus in November, unveiling proposed changes to data protection law, including an amended definition of personal data, centralised data breach notifications and clarification that personal data may be used to develop AI on the basis of legitimate interests.
Other DPAs have set out their priorities for the coming year. The UK ICO pledges to focus on automated decision-making, facial recognition technology and emerging AI risks, among other issues. Similarly, the Canadian Office of the Privacy Commissioner has indicated it will address the privacy implications of AI, while also prioritising children’s privacy in 2026.