The world’s most influential digital sanctions regime
Since the General Data Protection Regulation entered into force in May 2018, European authorities have imposed, according to the CMS GDPR Enforcement Tracker, more than 7.1 billion euros in penalties, spread across more than 2,800 fines. The figure is no regulatory footnote: it is the de facto global benchmark. When a country in Latin America or Asia writes its data-protection law, it looks to the GDPR. When a company on any continent serves European users, it falls under it.
This tracker neither celebrates nor denounces the fines. It orders them. It measures three things the headline tends to conflate: how much has been sanctioned, against whom, and —the question almost no one asks— how much of that has actually been collected versus what remains under appeal. Because between the announced fine and the final fine lies an abyss of years and appeals.
The big ten, almost all tech
Nine of the ten largest GDPR fines in history have fallen on big tech firms. The podium is led, by an enormous distance, by Meta.
| Company | Fine | Year | Reason |
|---|---|---|---|
| Meta | €1,200M | 2023 | Transfer of European user data to the US without safeguards |
| Amazon | €746M | 2021 | Targeted advertising system without adequate consent |
| TikTok (ByteDance) | €530M | 2025 | Unlawful transfer of EEA data to China |
| Meta | €405M | 2022 | Processing of minors’ data on Instagram |
| Meta | €390M | 2023 | Change of legal basis from consent to contract |
| TikTok | €345M | 2023 | Processing of minors’ accounts |
| €310M | 2024 | Incorrect legal basis for advertising and analytics |
The pattern that emerges is sharp. International data transfers (Article 46) generate the highest individual fines —Meta’s €1.2 billion and TikTok’s €530 million—. And minors’ data appears in four of the ten largest sanctions. Meta, adding its subsidiaries, concentrates around 40% of the accumulated total: it is, by far, the system’s repeat offender.
The gap nobody headlines: announced vs. final
Here is the data point that turns this tracker into a due-diligence tool rather than a list of records. An announced fine is not a collected fine. The €1.2 billion sanction against Meta was appealed; its final outcome, after years of litigation, may differ from the headline figure. The same goes for much of the big ten: they are announced, appealed, and only years later does anyone know how much actually enters public coffers.
A serious tracker therefore distinguishes between statuses the public tends to merge into one:
| Fine status | What it means | Due-diligence value |
|---|---|---|
| Announced / proposed | The regulator signals its intent to sanction | Risk signal, not firm liability |
| Imposed (first instance) | Administrative decision issued | Contingent liability |
| Appealed | The company challenges in court | Amount in dispute |
| Final | Appeals exhausted | Certain liability |
| Reduced / annulled | Court modifies or strikes the sanction | The real amount differs from the announced one |
| Collected | The money actually enters | Real enforcement |
The difference between these boxes is exactly the information a bank, an insurer or a law firm needs to assess the real regulatory risk of a counterparty. The headline says “€1.2 billion.” The analyst needs to know which box that figure is in today.
The DSA and DMA enter the scene
The GDPR is no longer the only front. The Digital Services Act (DSA) and the Digital Markets Act (DMA) have begun to add their own sanctions, and the caliber is comparable. In 2025, the Commission fined Apple €500 million and Meta €200 million for DMA infringements. And on the DSA front, Meta and TikTok face preliminary findings that, if confirmed, could reach 6% of their global turnover —a figure estimated at around 9.87 billion dollars for Meta—.
| Law | What it regulates | Maximum sanction | 2025 cases |
|---|---|---|---|
| GDPR | Personal data | 4% global turnover | Meta, TikTok, LinkedIn |
| DMA | Competition among “gatekeeper” platforms | 10% global turnover | Apple €500M, Meta €200M |
| DSA | Content and systemic risks | 6% global turnover | Preliminary findings Meta/TikTok/X |
The qualitative leap of the DSA and DMA is that their ceilings —6% and 10% of global turnover— exceed the GDPR’s 4%. European digital regulation has raised the stakes. The detail of the seven gatekeepers designated under the DMA, their services and the status of each sanction and investigation is tracked in the DMA gatekeepers tracker.
Ireland, the authority that concentrates the power
A structural fact runs through the whole system: Ireland’s Data Protection Commission imposes more than half of all GDPR fines. It is no accident: the European headquarters of Meta, TikTok, LinkedIn, Apple and Google are in Ireland, and under the GDPR’s “one-stop-shop” mechanism, the authority of the country of establishment leads the investigation. That makes the Irish regulator the de facto arbiter of half the world’s privacy, a concentration of power with as many defenders —consistency, specialization— as critics —slowness, pressure from a sector key to the Irish economy—. We compare the main national authorities —who sanctions a lot, who sanctions expensively and who prefers to warn— in the GDPR enforcement by country tracker.
The contrast with other states is revealing. While Ireland sanctions, other national authorities are not yet fully operational. Spain is a textbook case: it designated the CNMC as its Digital Services Coordinator in January 2024, but as of May 2026 that coordinator still has no approved sanctioning regime, with its legal enabling repealed and an open European infringement procedure. We track it milestone by milestone in the Spanish DSA Coordinator gap tracker: having the authority named is not the same as having it sanctioning.
Why this is a dataset, not an anecdote collection
Tracking European digital fines as a structured database —company, law, announced amount, final amount, appeal status, authority, reason— answers questions the news flow cannot. How much does Meta really owe once appeal reductions are discounted? Which law generates the most real enforcement per country? What proportion of the announced amount is actually collected? Each answer has a buyer: compliance teams, law firms, regulatory-risk insurers, due-diligence providers, GRC platforms.
The value lies not in the big headline figure, but in traceability: being able to go from “€1.2 billion against Meta” to “imposed in 2023, appealed, pending final resolution, authority DPC Ireland, reason international transfers.” That chain is the difference between a news story and a data asset.
Methodology note
The figures come from the CMS GDPR Enforcement Tracker, the data-protection authorities’ press releases and the European Commission’s DSA and DMA decisions, with a cutoff in early 2026. A distinction is drawn between an announced, imposed, appealed, final, reduced, annulled and collected fine. The DSA/DMA amounts cited as “potential” are preliminary findings, not final sanctions. Diálogo Ciudadano does not provide legal advice; this tracker is informational infrastructure and does not constitute a valuation of any company’s liability.