Five Years On: GDPR Enforcement Trends, Major Fines, and the Role of the EDPB
TL;DR
- GDPR enforcement has intensified: fines now exceed €4 billion and processing bans increasingly halt core services.
- The European Data Protection Board (EDPB) is driving consistency via binding decisions and coordinated investigations.
- Overlapping regimes such as the DSA, DMA and forthcoming AI Act mean GDPR compliance can no longer be siloed.
Table of Contents
- GDPR Enforcement Powers: More Than Just Fines
- Key GDPR Enforcement Trends (2018-Present)
- The European Data Protection Board (EDPB): Driving Consistency
- Interaction with Other EU Regulations
- Conclusion
May 2023 marked the fifth anniversary of the General Data Protection Regulation (GDPR) coming into effect across the European Union (EU) and European Economic Area (EEA). In that time, the GDPR has profoundly reshaped the global data privacy landscape. Its broad extraterritorial reach, stringent requirements, and potential for substantial fines have made compliance a critical concern for businesses worldwide, including those based in the US that handle the personal data of individuals in Europe. Often cited as a prime example of the "Brussels effect"—where EU regulations set de facto global standards—understanding how the GDPR is being enforced in practice is vital. This post reviews key enforcement trends and the activities of the European Data Protection Board (EDPB) over the regulation's first five-plus years.
GDPR Enforcement Powers: More Than Just Fines
National Data Protection Authorities (DPAs) in each EU/EEA member state are responsible for monitoring and enforcing the GDPR. Their powers, outlined in Article 58, are extensive and include:
- Investigatory powers (audits, data access requests).
- Corrective powers (warnings, reprimands, compliance orders, temporary or permanent processing bans, data erasure orders).
- Authorization and advisory powers (approving codes of conduct, consulting on legislation).
- The power to impose significant administrative fines (Article 83).
It was the fining power that initially garnered the most attention. GDPR establishes two tiers of maximum fines, depending on the nature of the violation:
- Up to €10 million or 2% of the undertaking's total worldwide annual turnover of the preceding financial year (whichever is higher).
- Up to €20 million or 4% of the undertaking's total worldwide annual turnover of the preceding financial year (whichever is higher).
The actual fine imposed considers various factors, including the infringement's nature, gravity, duration, intentional or negligent character, actions taken to mitigate damage, the number of data subjects affected, categories of data involved, previous infringements, and cooperation with the DPA. The aim is to ensure fines are effective, proportionate, and dissuasive.
Key GDPR Enforcement Trends (2018-Present)
- Escalating Fines: While enforcement started relatively slowly in 2018, the frequency and magnitude of fines have increased dramatically, particularly since 2021. Publicly reported fines have crossed major thresholds, with the cumulative total reportedly exceeding €4 billion by mid-2023, and the number of decisions imposing fines approaching 2,000 by late 2023.
- Focus on Big Tech (but Not Exclusively): The largest fines have overwhelmingly targeted major international technology companies. High-profile examples include:
- €1.2 billion against Meta Ireland (May 2023) for insufficient legal basis for data transfers to the US (post-Schrems II).
- €746 million against Amazon Europe (July 2021) for non-compliance with general processing principles.
- €405 million against Meta (Instagram) (September 2022) concerning children's data processing (legal basis, transparency, data protection by design/default issues).
- €390 million against Meta Ireland (December 2022) regarding the legal basis for personalized advertising on Facebook/Instagram.
- €345 million against TikTok (September 2023) regarding children's data processing (security, design/default, minimization).
- €265 million against Meta Ireland (November 2022) for inadequate technical/organizational security measures.
- €225 million against WhatsApp Ireland (September 2021) for transparency violations.
- Significant fines against Google (e.g., €90M + €60M in France, Dec 2021) related to cookie consent practices.
Many of these large cases have been handled by DPAs in Ireland and Luxembourg, where numerous tech firms have their EU headquarters, under GDPR's "one-stop-shop" mechanism (allowing companies to deal primarily with one lead DPA). However, it's crucial to note that these headline figures represent only the tip of the iceberg. Hundreds of smaller fines have been issued across all member states, impacting businesses of various sizes and sectors. Spain, for instance, leads significantly in the number of fines issued, followed by countries like Italy and Romania.
- Common Grounds for Fines: Analysis of enforcement actions reveals recurring themes:
- Insufficient Legal Basis (Art. 6): A very common violation, often involving improper reliance on consent (not freely given, specific, informed, or unambiguous), contractual necessity (processing not objectively necessary for the contract), or legitimate interests (failing the balancing test against data subject rights). This has been central to major advertising-related cases.
- Non-Compliance with Core Principles (Art. 5): Violations related to lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality are frequently cited. The accountability principle (demonstrating compliance) underpins many enforcement actions.
- Inadequate Security Measures (Art. 32): Fines often follow data breaches where technical and organizational security measures were found lacking.
- Transparency and Information Obligations (Arts. 12-14): Failing to provide clear, comprehensive privacy notices to data subjects.
- Data Subject Rights (Arts. 15-22): Improperly handling requests for access, rectification, erasure ("right to be forgotten"), restriction, portability, or objection.
- Enforcement Beyond Fines: While fines attract headlines, DPAs increasingly use other potent tools. Processing bans can be particularly impactful. Notable examples include:
- The Italian DPA's temporary ban on OpenAI processing Italian users' data for ChatGPT in March 2023 (lifted after OpenAI implemented changes).
- The Norwegian DPA imposing a temporary ban (later supported and extended EU-wide via EDPB intervention) on Meta processing user data for behavioral advertising based on contractual necessity or legitimate interests in July-October 2023. Such bans can halt core business activities and carry immediate operational consequences potentially exceeding the impact of a fine.
- The Role of Litigation and Activism: Enforcement is also driven by complaints from individuals and privacy advocacy groups (like Max Schrems' NOYB). Landmark rulings from the Court of Justice of the EU (CJEU), often stemming from such complaints (e.g., the Schrems I and Schrems II decisions invalidating EU-US data transfer frameworks), significantly shape GDPR interpretation and enforcement priorities.
The European Data Protection Board (EDPB): Driving Consistency
The EDPB, composed of representatives from each national DPA and the European Data Protection Supervisor (EDPS), plays a critical role in ensuring the consistent application of GDPR across Europe (Articles 68-76). Its key activities include:
- Guidelines, Recommendations, and Best Practices: The EDPB actively issues guidance documents interpreting various GDPR provisions. These cover crucial topics like territorial scope, consent requirements, Data Protection Officers (DPOs), Data Protection Impact Assessments (DPIAs), data breach notifications, international data transfers (including post-Schrems II measures), calculating administrative fines, and more. While not legally binding in the same way as CJEU judgments, EDPB guidelines are highly influential and followed closely by DPAs and businesses alike. Japan's Personal Information Protection Commission (PPC) provides Japanese translations for some key EDPB guidelines.
- Binding Decisions in Cross-Border Cases (Art. 65): Under the one-stop-shop mechanism, if DPAs involved in a cross-border case cannot reach consensus on a draft decision proposed by the lead DPA, the matter is referred to the EDPB for a binding decision. This dispute resolution mechanism has been increasingly utilized since 2020. EDPB decisions have sometimes required lead DPAs to find additional violations or impose higher fines than initially proposed, pushing towards more harmonized and robust enforcement.
- Urgency Procedure (Art. 66): In exceptional circumstances requiring urgent action, a DPA can adopt provisional measures. If it intends these to become final and affect other member states, it can request an urgent binding decision from the EDPB, as seen in the 2023 Meta behavioral advertising case.
- Coordinated Enforcement Framework (CEF): Launched under the EDPB's 2021-2023 strategy, the CEF involves annual coordinated investigations by multiple DPAs focusing on specific pre-determined topics. The first action in 2022 examined the use of cloud services by the public sector. The 2023 action focused on the designation and role of DPOs, and the 2024 action will target the implementation of the right of access by data controllers. These coordinated actions signal areas of heightened regulatory interest across the EU.
Interaction with Other EU Regulations
GDPR compliance doesn't exist in a vacuum. Businesses, particularly in the digital space, must also consider overlapping or complementary EU regulations:
- ePrivacy Directive (2002/58/EC): This directive specifically regulates privacy in electronic communications, including rules on cookies, tracking technologies, and direct marketing (often requiring consent under stricter standards than GDPR might otherwise imply for certain processing). Enforcement related to cookie banners and consent mechanisms has been active, leading to significant fines (e.g., against Google and Meta in France). Efforts to replace the Directive with a directly applicable ePrivacy Regulation have been ongoing for years but remain stalled. The EDPB established a Cookie Banner Taskforce, issuing a report in 2023 to promote consistent enforcement regarding deceptive cookie consent designs.
- Digital Services Act (DSA) & Digital Markets Act (DMA): These major regulations (fully applicable from February 2024 and March 2024, respectively) primarily target online platforms and large "gatekeeper" platforms. They intersect with GDPR on issues like targeted advertising restrictions (DSA prohibits targeting minors or using sensitive data), dark patterns (DSA prohibits deceptive interfaces that manipulate user choices, relevant for GDPR consent), and data combination restrictions (DMA limits how gatekeepers can combine personal data across services).
- Data Act & AI Act: Upcoming regulations like the Data Act (promoting access to and sharing of IoT data, including personal data where GDPR applies) and the AI Act (regulating AI systems based on risk, with implications for AI using personal data for training or operation) will further interact with the GDPR framework.
Conclusion
After more than five years, GDPR enforcement is demonstrably active, sophisticated, and carries substantial risk for non-compliant organizations globally. While headline fines target major tech players, businesses of all sizes and sectors are subject to scrutiny. Core GDPR principles around lawful processing, transparency, security, and data subject rights remain central enforcement themes. The EDPB is playing an increasingly assertive role in harmonizing interpretation and enforcement actions across member states. For US companies operating in the European market, maintaining robust GDPR compliance requires ongoing vigilance, attention to EDPB guidance and CJEU case law, and an understanding of how GDPR interacts with the rapidly expanding landscape of EU digital regulation.