Comparative tracking of GDPR enforcement by national data-protection authority. Since 2018, European authorities have imposed around €7.1 billion across more than 2,600 fines, but that total is very unevenly distributed: Ireland concentrates more than half the amount (due to big tech's European headquarters), while Spain leads by number of fines with much smaller average amounts. The tracker measures two gaps: cumulative amount versus number of sanctions (sanctioning a lot is not sanctioning expensively), and the distance between the announced fine and the final one (Amazon's €746 million sanction was annulled on appeal). Each record profiles a national authority with its approach, its volume and its flagship case.
Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.
Choropleth by number of forensically or judicially documented cases. Countries with no verifiable public cases remain in the base colour — the absence of events does not equal the absence of surveillance. Hover or click a coloured country to see the cases.
Saying Europe has fined €7.1 billion under the GDPR hides the essential: that money is not shared equally by the Twenty-Seven. Ireland concentrates over half the amount with just a handful of giant fines; Spain imposes nearly a thousand sanctions, but far cheaper. Sanctioning a lot and sanctioning expensively are two different things, and this tracker separates them.
The GDPR is a single law, but it is applied by twenty-seven national authorities plus those of the European Economic Area, and each does it its own way. The aggregate headline —around €7.1 billion in fines since 2018, per the CMS GDPR Enforcement Tracker— is true but misleading, because it hides an enormous inequality in how that enforcement is distributed. This tracker profiles the main authorities to answer the question the aggregate does not: who really sanctions, and how?
The first gap that stands out is amount versus volume. Ireland's Data Protection Commission accumulates around €4.04 billion —over half the European total— with just a handful of fines, nine of the ten largest in history. Spain, by contrast, has imposed nearly a thousand sanctions, the continent's highest count, but with a far lower average amount. They are two opposing philosophies: Ireland sanctions little and huge; Spain, a lot and cheap. Neither is 'the right one'; they are different regulatory strategies that the aggregate figure merges and hides.
Ireland's dominance is structural, not accidental: Meta, Google, TikTok, LinkedIn, Apple and Microsoft have their European headquarters in Dublin, and under the GDPR's one-stop-shop mechanism, the authority of the country of establishment leads the investigation. That turns a regulator from a country of five million people into the de facto arbiter of the privacy of hundreds of millions of Europeans.
The second gap the tracker captures is this outlet's usual one: the distance between the fine that makes headlines and the one that becomes final. Luxembourg is the textbook case. Its authority ranks second in Europe by cumulative amount —around €746 million— but almost all of it comes from a single sanction: the 2021 Amazon fine. And that fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, even though the underlying violations were upheld. On paper, Luxembourg is a major sanctioner; in practice, its largest fine evaporated on appeal.
And then there are the approaches that do not even prioritize the fine. Sweden consults and warns before sanctioning; the United Kingdom, after Brexit, applies an openly fine-sceptical philosophy —its commissioner said he does not believe they are the highest-impact tool—. A low cumulative amount does not mean a passive authority: it may mean one that regulates with other tools. That is why the tracker profiles each authority's approach, not just its figure.
For a data-protection officer, a law firm or a company operating in several European markets, knowing 'how much Europe fines' is useless; what matters is which authority supervises it depending on where its main establishment is, and how that specific authority sanctions. Falling under France's CNIL —aggressive on cookies and ad-tech— is not the same as falling under an authority that warns before fining. The tracker turns the European aggregate into a comparable map, authority by authority, of where the real risk lies.
That is the asset's value: going from '€7.1 billion in GDPR fines' to 'Ireland €4.04 billion by structural concentration, France over €1 billion aggressive on cookies, Spain nearly a thousand fines but cheap, Luxembourg second by amount but with its largest fine annulled'. That granularity is the difference between a headline and a due-diligence tool.
The UK Information Commissioner was an outlier in 2024, with very few fines. Its head, John Edwards, said in November 2024 that he does not believe fines have the greatest impact and that they would tie his office up in years of litigation. After Brexit, the UK applies its own version of the GDPR with a deliberately less punitive philosophy.
The Swedish authority follows a different approach from the big sanctioners: it prioritizes consultation and issues reprimands or warnings before imposing fines. Its cumulative amount is low, not from inaction, but from regulatory philosophy: the financial penalty is the last resort, not the first.
The Dutch authority applies forceful though less numerous sanctions: in August 2024 it imposed a €290 million fine, one of the year's largest in Europe. It prioritizes systemic cases over volume.
The Luxembourg authority accumulates around €746 million, almost all from a single sanction: the 2021 Amazon fine for advertising without valid consent. That fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, though the underlying violations were upheld. It is the perfect example of the gap between announced and final amount.
Italy's Garante is one of the most active authorities by number of sanctions (41 in 2024, third in the EU) and has been a pioneer in acting against AI services over data processing. It combines sanctions on large and mid-sized firms in sectors such as utilities and telecoms.
Ireland's Data Protection Commission leads by far: around €4.04 billion cumulative, over 50% of the European total, and 9 of the 10 largest GDPR fines. Its dominance is structural: Meta, Google, TikTok, LinkedIn, Apple and Microsoft have their European headquarters in Dublin, making it the lead authority under the one-stop-shop. Largest fine ever: Meta, €1.2 billion (2023).
France's CNIL overtook Luxembourg in 2025 and is the second authority besides Ireland to exceed €1 billion cumulative. It has been the most aggressive on cookie consent and advertising: in September 2025 it imposed €325 million on Google and €150 million on Shein.
The Spanish Data Protection Agency is Europe's most active by volume: nearly 1,000 fines since 2018, the continent's highest count. But its average amount is far below other authorities. It is the opposite of Ireland: it sanctions a lot and cheaply, versus Ireland which sanctions little and huge. By number of fines in 2024 it led with 107, followed by Romania and Italy.
Germany is a particular case: its enforcement is split among the data-protection authorities of each Land (federal state), plus the federal one. This produces a relevant volume of sanctions (around €45.9 million in the analyzed 2024 period) but dispersed, without Ireland's concentration nor Spain's unit volume.
Each record profiles a national data-protection authority with its cumulative GDPR fine amount since 2018, its approximate number of sanctions, its regulatory approach (sanction directly, warn before fining, sceptical of fines) and its flagship case. The amounts come from specialised trackers (CMS, DLA Piper, Statista) and are approximate given differences in methodology and cutoff date between sources; ranges are cited where sources differ. A distinction is drawn between announced and final fine: where a sanction has been annulled or reduced on appeal, it is noted. No unpublished figures are imputed. The decisive field is the contrast between amount and volume, which reveals opposing regulatory approaches.