Eight years after GDPR took effect, courts have quietly erased or suspended a substantial share of the headline enforcement numbers. According to analysis published this week by Alliance Risk, a cyber risk advisory firm, European regulators have announced €7.1 billion in GDPR fines since May 2018 - but roughly €2.8 billion of that total, nearly 40%, is either already annulled or actively contested before courts. The data arrives on the regulation's eighth anniversary and lands during a moment of unusual institutional pressure: the AI Act is set to reach full application in August 2026, and the European Commission is already attempting to rewrite parts of GDPR itself through the Digital Omnibus legislative package.

The gap between announced penalties and collected ones is not new, but the scale now visible in court records is striking. Two major fines were annulled outright in March 2026. Luxembourg's Administrative Court struck down the €746 million fine imposed on Amazon by the National Commission for Data Protection (CNPD) in 2021. A Rome court annulled Italy's Garante's €15 million fine against OpenAI. Together, those two decisions alone removed €761 million from the enforcement ledger in a single month.

A map of contested fines

The Alliance Risk data, drawn primarily from the CMS Law GDPR Enforcement Tracker and cross-referenced against IAPP enforcement data and trackers from Kiteworks and UniConsent, shows 2,879 enforcement actions across Europe between May 2018 and May 2026, producing a gross cumulative total of approximately €7.1 billion. The figure ranges between €6.8 billion and €7.2 billion depending on the snapshot date, so Alliance Risk used €7.1 billion as its current working figure.

Under active legal challenge are four penalties of significant size. Meta faces an appeal on a €1.2 billion fine for illegal data transfers to the United States. TikTok is contesting its €530 million fine issued by Ireland's Data Protection Commission in April 2025 for unlawful transfers to China. Two further Meta fines - one of €265 million and one of €91 million - are also under appeal, according to Alliance Risk, which sourced the appeals total from DPC press releases and High Court filings.

The enforcement map the firm published alongside its analysis - available at gdpr-interactive-map-2018-2026.netlify.app - shows total fine values, case counts, and average fines across European jurisdictions, adjusted for appeals. An accompanying CSV dataset, provided to PPC Land, breaks down the figures by country. The numbers shift the picture significantly from what regulators have publicly announced.

Ireland's structural dominance

Among all European jurisdictions, Ireland sits in a category of its own. According to the Alliance Risk dataset, Ireland accounts for €4.04 billion of the total - roughly 66% of all GDPR fine value - generated by just 37 enforcement actions. The average per fine in Ireland is approximately €109 million, compared with an EU-wide average considerably lower.

The concentration follows from GDPR's one-stop-shop mechanism, which designates the data protection authority of a company's principal EU establishment as lead regulator. Because major US technology platforms - Meta, Google, Apple, LinkedIn, TikTok - have their European headquarters in Ireland, the Irish Data Protection Commission handles cross-border enforcement for some of the largest and most legally contested cases on the continent.

PPC Land has covered the structural consequences of this arrangement extensively, including criticism from privacy organisation noyb that only 0.6% of officially announced Irish fines were ever collected. The EDPB's 2025 annual report, covered by PPC Land in April 2026, showed that Ireland alone accounted for €530,773,000 of the €1.15 billion in GDPR fines recorded across the EEA in 2025 - almost entirely the TikTok decision.

France sits second in the Alliance Risk ranking with €888.1 million across 81 enforcement actions. The Netherlands follows with €353.4 million from 42 actions. Italy comes fourth with €311.2 million - the product of 538 individual cases, a number that reflects a notably different enforcement style compared with Ireland's concentration on large technology platforms. Spain leads on volume with 1,070 enforcement actions, though its total fine figure of €137 million reflects a comparatively lower average per case.

The Amazon and OpenAI annulments in detail

The Luxembourg ruling, case number 52757C, was issued on March 12, 2026. PPC Land reported the outcome and subsequently published a detailed legal analysis of the decision. The court did not contest that Amazon had violated GDPR. Instead, it found that the CNPD had applied a form of strict liability without ever assessing negligence as a threshold condition, as required by Court of Justice of the European Union case law. The fine was annulled in its entirety and the case remanded to the regulator.

The OpenAI annulment followed different logic but produced the same result. A Rome tribunal published its reasoning in March 2026, annulling the Garante's November 2024 decision imposing a €15 million fine against OpenAI over ChatGPT data processing. The court ruled on a single procedural point: once OpenAI established its Irish subsidiary, the Irish DPC became the lead supervisory authority, stripping the Garante of jurisdiction to issue a final sanction. As PPC Land reported, nine months of Italian enforcement work culminating in a €15 million order was voided on that basis, without any ruling on whether the underlying conduct was lawful.

Both cases illustrate what Nika Biliavska, Cyber Risk Analyst at Alliance Risk, describes as structural weaknesses large companies have learned to exploit in court. "The framework has structural weaknesses that large companies have learned to exploit in court, and nearly 40% of announced fines reflect that," according to Alliance Risk's written commentary accompanying the data.

The TikTok and Meta appeals

The four fines currently under active appeal represent the most financially significant contested penalties still working through the courts. Ireland's €530 million TikTok fine, announced April 30, 2025, broke down as €485 million for failing to ensure adequate data protection for EEA user transfers to China and €45 million for transparency violations. TikTok filed an originating notice on May 27, 2025, and Ireland's High Court granted judicial review permission in July 2025. A November 2025 High Court judgment granted a conditional stay pending the full appeal, meaning the order requiring TikTok to suspend data transfers to China is not currently being enforced.

Meta's €1.2 billion fine - still the largest individual GDPR penalty ever announced - concerns illegal transfers of European user data to the United States. It was issued by the DPC in May 2023 following an EDPB binding decision. The appeal continues, alongside two smaller Meta penalties of €265 million and €91 million, also under challenge.

Breach notification: a 72-hour standard spreading globally

Alongside the enforcement data, Alliance Risk produced a comparative analysis of breach notification timelines across jurisdictions. GDPR's 72-hour rule - requiring controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach - has been adopted in six jurisdictions: the European Union, the United Kingdom, Thailand, Kenya, Nigeria, and South Korea. The analysis was compiled from each jurisdiction's official regulatory guidance and DLA Piper's Data Protection World resource.

Other frameworks diverge sharply. HIPAA in the United States gives affected organisations 60 days to notify. The SEC's cybersecurity disclosure rule requires notification within four business days of a "material" determination. Brazil's Lei Geral de Proteção de Dados allows three working days. India stands at the other extreme, requiring notification within six hours for significant data fiduciaries under the Digital Personal Data Protection Act.

The US CIRCIA rule for critical infrastructure, which cites GDPR's 72-hour standard, is pending final rulemaking. The United States still has no single federal breach notification standard, with 50 separate state laws ranging from 30 to 90 days.

What the data says about enforcement concentration

The country-level data reveals substantial variation beyond the headline totals. Germany, with 218 enforcement actions and €93.4 million in total fines, produces an average fine of approximately €428,000 - a figure consistent with more granular, case-by-case enforcement across diverse industries rather than large platform-level proceedings. Austria, with 39 actions totalling €42.5 million, records an average of €1.09 million per fine.

At the lower end, Iceland and Liechtenstein - both EEA members subject to GDPR - show totals of €100,000 and €50,000 respectively, across five and two enforcement actions. These are marked as estimated figures in the dataset, reflecting the limitations of cross-jurisdictional data collection.

Luxembourg's position in the Alliance Risk data is notable. The country appears with an €800,000 total and 10 enforcement actions - figures that exclude the €746 million Amazon fine, which has been removed from the tracker following the March 2026 annulment. That exclusion explains an apparent discrepancy between Luxembourg's €746 million position in older enforcement tracking reports and its current status in the Alliance Risk map.

Portugal's enforcement record has attracted separate scrutiny. PPC Land reported in May 2026 that Portugal's CNPD opened 3,201 cases and 2,037 investigations in 2025 but applied just two fines totalling €47,000 across the entire year.

The framework under revision

Alliance Risk situates the enforcement gap within a broader context of regulatory change. The European Commission is advancing GDPR amendments through the Digital Omnibus package, proposed in November 2025. Draft amendments would narrow sensitive data definitions, establish legitimate interest as a legal basis for AI training data, raise breach notification thresholds, and restrict data subject access rights in certain circumstances.

The AI Act, meanwhile, is scheduled to reach full application on August 2, 2026. Talks in Brussels over proposed changes through the Digital Omnibus package did not produce agreement, and as PPC Land reported in April 2026, the deadline holds without modification.

The simultaneous pressure on two fronts - active legal challenges eroding announced GDPR penalty totals, and legislative proposals revising the regulation itself - means the enforcement picture at the eight-year mark is considerably more complicated than the headline €7.1 billion figure suggests. According to Alliance Risk, "the framework is being rewritten while it's still being tested."

For marketing and advertising technology companies that have built compliance programmes around the existing rules, the instability cuts in multiple directions. Legal challenges by large platforms establish precedents on negligence standards and jurisdictional scope. Digital Omnibus amendments, if adopted, would alter what data can be processed under legitimate interest, change notification obligations after breaches, and expand permissible uses of personal data in AI development. The EDPB's 2025 annual report adopted first-ever joint guidelines with the European Commission on DMA-GDPR interaction, setting binding expectations for how large platforms structure consent for advertising - a ruleset now itself subject to Digital Omnibus revision.

Timeline

Summary

Who: Alliance Risk, a cyber risk advisory firm, analysed eight years of GDPR enforcement data compiled primarily from the CMS Law GDPR Enforcement Tracker, cross-referenced with IAPP, Kiteworks, and UniConsent sources. Spokespeople are Nika Biliavska (Cyber Risk Analyst) and David Vainer (CEO). The analysis concerns enforcement actions by European data protection authorities against companies including Amazon, Meta, TikTok, and OpenAI.

What: European regulators have announced €7.1 billion in GDPR fines across 2,879 enforcement actions since May 2018. According to Alliance Risk's analysis, approximately €2.8 billion - nearly 40% - is either already annulled by courts or under active legal challenge. Two fines were annulled outright in March 2026: Amazon's €746 million Luxembourg penalty and OpenAI's €15 million Italian penalty. Four additional fines totalling approximately €2.1 billion (Meta €1.2 billion, TikTok €530 million, Meta €265 million, Meta €91 million) are under active appeal.

When: The data covers the period from GDPR's implementation on May 25, 2018 through May 2026. The Alliance Risk analysis was published on May 29, 2026, marking the regulation's eighth anniversary.

Where: Enforcement actions span 31 jurisdictions across the European Economic Area plus the United Kingdom under UK GDPR. Ireland accounts for 66% of all fine value by total amount. Luxembourg's €746 million Amazon fine has been removed from the current tracker following its annulment. An interactive map of the data is available at gdpr-interactive-map-2018-2026.netlify.app.

Why: The analysis matters because headline GDPR fine totals are regularly cited as evidence of robust enforcement, while the actual collection picture is substantially different. Companies have successfully challenged fines on procedural grounds - including inadequate negligence analysis and jurisdictional disputes under the one-stop-shop mechanism - without courts necessarily finding that the underlying conduct was lawful. Simultaneously, the European Commission is proposing to amend GDPR through the Digital Omnibus package, and the AI Act is approaching full application in August 2026, creating a period where the data protection framework is subject to legal challenge and legislative revision at the same time.

Share this article
The link has been copied!