News

Ireland continues to hold its position as Europe’s most active data protection enforcer, according to the latest annual Data Breach Survey published by DLA Piper. Since the introduction of GDPR in May 2018, Ireland’s Data Protection Commission has issued fines totalling €4.04 billion, placing it well ahead of all other EU regulators.

The report shows that Ireland’s cumulative fine total is almost four times higher than that of France, which now ranks second overall. A major contributor to Ireland’s lead was the largest GDPR penalty imposed during 2025, a €530 million fine issued to TikTok over the transfer of European users’ personal data to China. That decision is currently under appeal.

Across Europe, total GDPR fines for 2025 reached approximately €1.2 billion, broadly in line with the previous year. Ireland and France together accounted for more than €1 billion of this figure. Since GDPR came into force, cumulative fines across the EU have now reached €7.1 billion.

The single largest GDPR fine on record remains the €1.2 billion penalty imposed on Meta by the Irish regulator in 2023. Overall, eight of the ten highest GDPR fines ever issued have been imposed by the Irish DPC, underlining its central role in European enforcement.

Despite the scale of penalties announced, legal challenges continue to delay payments. Of the €4.04 billion in fines imposed by the Irish regulator to date, €20 million has been collected so far.

The survey also highlights a sharp increase in reported personal data breaches across Europe. Average daily breach notifications rose by 22% to 443 per day during 2025, marking the first time daily reports exceeded 400 since GDPR began. Ireland moved in a different direction, with breach notifications increasing by 3% year on year.

France has overtaken Luxembourg to become the second-largest GDPR enforcer and is now the only other EU country, alongside Ireland, to have issued more than €1 billion in fines since 2018.

According to DLA Piper, regulators remain focused on large technology and social media companies, while expanding scrutiny into sectors such as financial services, telecommunications and utilities. Commenting on the findings, John Magee, Partner and Global Co-Chair of DLA Piper’s Data, Privacy and Cybersecurity Group, said regulators continue to impose significant penalties, even amid criticism from outside the EU. He also pointed to rising breach notifications as evidence of a more challenging cybersecurity environment, influenced by geopolitical tensions and high-profile cyberattacks.

Disclaimer: This article is based on publicly available information and is intended for general guidance only. While every effort has been made to ensure accuracy at the time of publication, details may change and errors may occur. This content does not constitute financial, legal or professional advice. Readers should seek appropriate professional guidance before making decisions. Neither the publisher nor the authors accept liability for any loss arising from reliance on this material.