Latest Updates

GDPR, as it stands today.

The GDPR did not stop evolving in 2018. Record fines, a new transatlantic transfer framework, the EU AI Act and fresh regulator guidance keep reshaping what compliance means. Here is what is moving now.

Enforcement20 January 2026

GDPR fines pass €6.5 billion as enforcement matures

Nearly eight years in, total GDPR penalties imposed across the EEA have climbed past €6.5 billion. Enforcement has shifted from headline one-offs to sustained scrutiny of adtech, AI training data and international transfers.

Read the briefing
€6.5bn+
Cumulative fines since 2018
Legislation10 November 2025

New rules to streamline cross-border 'one-stop-shop' enforcement

EU lawmakers agreed a GDPR Procedural Regulation to harmonise how cross-border cases are handled between national regulators — targeting the delays and disputes that have dogged the one-stop-shop mechanism.

Read more
Enforcement2 May 2025
€530m

TikTok fined €530 million over data transfers to China

Following an earlier €345 million fine over children's data, Ireland's regulator penalised TikTok €530 million for failing to guarantee that European users' data sent to China received protection essentially equivalent to the EU's.

Read more
Technology1 August 2024

The EU AI Act enters into force — and it runs on top of the GDPR

The world's first comprehensive AI law took effect on 1 August 2024, phasing in through 2026. It does not replace the GDPR — it layers on top of it, with personal data fuelling most AI systems in scope.

Read more
Guidance17 April 2024

EDPB tightens the screws on 'pay or consent' advertising models

The European Data Protection Board issued an opinion warning that large online platforms offering only a binary 'pay a fee or consent to tracking' choice will, in most cases, fail to obtain valid GDPR consent.

Read more
Transfers10 July 2023

EU–US Data Privacy Framework adopted — transatlantic transfers reopen

The European Commission adopted its adequacy decision for the EU–US Data Privacy Framework, giving certified US companies a renewed legal route to receive personal data from the EU after the collapse of Privacy Shield.

Read more
Transfers22 May 2023
€1.2bn

Meta hit with record €1.2 billion fine over EU–US data transfers

Ireland's Data Protection Commission fined Meta €1.2 billion for continuing to transfer European Facebook users' data to the United States without adequate safeguards — the largest GDPR penalty ever issued.

Read more

The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.

Affected by any of this?

Our data-protection lawyers translate regulatory change into a plan for your organisation — transfers, AI, consent and breach response.

Talk to a lawyer