GDPR violations have cost companies billions since being introduced


Over the span of six years since the implementation of the European Union’s General Data Protection Regulation (GDPR), a staggering €4.5 billion ($4.9 billion) in fines have been paid by companies found in violation of the regulation. Research conducted by NordLayer has shed light on the extent to which individual data protection authorities have enforced GDPR, revealing a total of 2,072 violations.

The data underscores the seriousness with which GDPR violations are treated, indicating that companies failing to comply with the stringent measures set forth by the regulation are being penalized accordingly. Since its enactment in May 2018, GDPR has exerted a significant influence on data protection and privacy practices, although it has also introduced added complexity for many consumers navigating the digital landscape.

Among the European nations, Spain, Italy, and Germany have emerged as the top contenders for GDPR violations. Spanish businesses, in particular, have faced the brunt of penalties, with a total of 842 fines amounting to €80 million. Italy, despite receiving fewer fines than Spain, incurred nearly three times the total amount in penalties, suggesting a higher average magnitude of fines across the board. German companies, on the other hand, were fined 186 times, resulting in penalties totaling €55 million.


Carlos Salas, a cybersecurity expert at NordLayer, emphasized the transformative impact of GDPR on data handling practices, with businesses across various industries compelled to overhaul their approach and invest in robust security measures to achieve compliance. The regulation, according to Salas, has prompted a much-needed prioritization of privacy rights in the digital realm.

Meta, the parent company of Facebook and WhatsApp, emerged as the most penalized entity, accounting for six out of the top 10 fines. With a cumulative fine of €2.5 billion, Meta alone contributed more than half of the total financial penalties. Notably, Meta’s largest fine, amounting to €1.2 billion, was imposed for insufficient legal basis for data processing in 2023, significantly surpassing the second-largest fine, a €746 million penalty levied against Amazon. Other notable companies in the top 10 included TikTok and Google, with Italy’s Enel Energia being the sole outlier in the Big Tech-dominated list of GDPR violators.