According to a recent report by law firm DLA Piper, organizations are increasingly being reported for violations of the General Data Protection Regulation (GDPR).
According to the study, the average number of daily reports has risen above 400 for the first time since the GDPR came into force across the EU on May 25, 2018. With 443 reports of violations per day, the number in 2025 was 22% higher than the previous year.
However, the data does not allow for any definitive conclusions about the causes of this increase, according to DLA Piper. The law firm believes that geopolitical tensions, the multitude of new technologies available to cyber threat actors, and a number of new laws mandating the reporting of security incidents are likely among the key factors.
€1.2 billion in GDPR fines
According to DLA Piper, the total amount of fines, at around €1.2 billion, was roughly the same as the previous year. However, this high sum also demonstrates that European data protection authorities remain willing to impose substantial fines. Since the GDPR came into effect, a total of €7.1 billion in fines has been levied.
Broken down by country, Ireland, where US tech giants like Apple, Google, and Meta have their EU headquarters, once again leads the enforcement statistics: The total fines imposed by the Irish Data Protection Commission have reached €4.04 billion since the GDPR came into force in May 2018.
This includes the highest fine ever imposed under the GDPR, amounting to €1.2 billion against Meta Platforms Ireland Ltd. Furthermore, in April 2025, TikTok Technology Ltd. was fined €530 million for transferring personal user data to China.
However, DLA Piper points out that the risks of GDPR compliance are not limited to administrative fines. There is also the risk of subsequent claims for damages. Several landmark rulings by the CJEU and national European courts have addressed GDPR-related compensation claims — particularly regarding the requirements for claims for non-material damages.