Nearly eight years in, total GDPR penalties imposed across the EEA have climbed past €6.5 billion. Enforcement has shifted from headline one-offs to sustained scrutiny of adtech, AI training data and international transfers.
When the GDPR became enforceable in May 2018, few predicted the scale of penalties that would follow. By early 2026, cumulative fines reported across the European Economic Area had passed the €6.5 billion mark, according to public enforcement trackers — driven overwhelmingly by a small number of very large decisions against global platforms.
The trend tells a clearer story than the totals. Regulators have moved beyond punishing missing paperwork toward structural questions: is the legal basis for behavioural advertising valid, can data be lawfully sent outside the EU, and how should the rules apply to systems that train on personal data at scale.
For most organisations the practical lesson is unchanged but more urgent — document your lawful basis, keep your records of processing current, and be ready to demonstrate accountability rather than merely assert it.
The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.
Need to act on this?
We advise on GDPR compliance, transfers, AI and breach response.