In the six years that the European Union's General Data Protection Regulation (GDPR) has been in force, €4.5 billion ($4.9 billion) in fines have been paid for violations.
NordLayer research has revealed that individual data protection authorities have issued 2,072 breaches, highlighting that regulation is being taken seriously and companies that do not comply with the new measures are being punished.
Since its creation in May 2018, the GDPR has significantly influenced privacy and data protection practices; However, for many consumers, it has also added another layer of complexity.
GDPR fines show that companies are being penalized
Spain, Italy and Germany top the list of GDPR violations. Spanish companies were the most sanctioned, with 842 fines for a total of 80 million euros. Despite receiving less than half as many fines as Spain, Italy paid approximately three times as much in fines, suggesting a higher average magnitude across the board. German companies were fined 186 times, resulting in penalties of 55 million euros.
Carlos Salas, cybersecurity expert at NordLayer, said: “We have witnessed companies across all sectors changing their data handling practices and investing in security measures to achieve compliance… [GDPR] has reshaped the digital landscape, forcing a much-needed prioritization of privacy rights.”
Meta, responsible for six of the 10 largest fines, was the company most sanctioned. Between the parent company and its subsidiaries Facebook and WhatsApp, it paid 2.5 billion euros in fines, representing more than half of all financial sanctions.
The largest, a €1.2 billion fine for insufficient legal basis for data processing in 2023, far exceeded the second largest fine: a €746 million fine imposed on Amazon. Other companies in the top 10 included TikTok and Google, and only one company was left out of the Big Tech category: Italy's Enel Energia.
Salas summarized: “Data protection regulations are evolving and cyber threats are becoming more sophisticated, so companies must continue to be proactive in their approach to data security and privacy.”