Big tech firms continue to push back against fines levied for alleged violations of European data protection law, in what could be a harbinger for AI regulations to come.
While lawyers and experts quizzed by CSO broadly argue that big tech firms contesting data protection rules isn’t a particular cause for concern, the more widespread introduction of AI technologies is a far greater data protection challenge on the horizon.
The EU’s General Data Protection Regulation (GDPR) came into force eight years ago this week. Over those eight years, European regulators announced an estimated €7.1 billion in GDPR fines but nearly 40%, around €2.8 billion, has either already been annulled or is under active legal challenge, according to analysis by insurance brokerage Alliance Risk.
Fines that have already been annulled include one against Amazon at €746 million (Luxembourg, March 2026) and another versus OpenAI at €15 million (Italy, March 2026). Those under active appeal include three fines against Meta (€1.2 billion, €265 million, and €91 million) and one against TikTok (€530 million).
Alliance Risk used CMS Law GDPR Enforcement Tracker as its primary source for information on GDPR enforcement, cross-referenced against IAPP enforcement data and trackers from Kiteworks and UniConsent. Data on annulments came from reported court decisions.
GDPR established a benchmark for breach notification
According to Alliance Risk, GDPR successfully laid the foundation for data protection law globally — particularly by first establishing the 72-hour breach notification standard.
This three-day notification rule is law in six jurisdictions — EU, UK, Thailand, Kenya, Nigeria, and South Korea — and influential elsewhere. For example, the US CIRCIA rule for critical infrastructure, which is pending final rule publication this month, is due to apply the 72-hour standard.
By comparison, HIPAA gives US healthcare organisations 60 days as a breach notification deadline. The SEC gives public companies four business days but only after they’ve internally determined a breach is “material,” which adds its own delay.
Although the breach notification regulations established by GDPR have been a success, issues with the enforcement of rules remain.
“The framework has structural weaknesses that large companies have learned to exploit in court, and nearly 40% of announced fines reflect that,” according to Alliance Risk.
The EU’s AI Act reaches full application in August, and the European Commission is already proposing to reform GDPR through the Digital Omnibus. “The framework is being rewritten while it’s still being tested,” Alliance Risk concludes.
“The fact that around 40% of GDPR fines by value are under challenge isn’t necessarily a sign the system is broken,” Nick Phillips, an intellectual property lawyer at Edwin Coe LLP tells CSO. “Eight years in, the bigger fines were always going to end up in court, and the rulings that come out of those appeals are starting to give in-house teams something they’ve never really had before: practical guidance on what regulators can and can’t defend.”
Phillips argues that achieving compliance with GDPR has improved enterprise security maturity because of the 72-hour breach notification rule coupled with the obligation to record all breaches and to notify data subjects combined with the need to improve security controls even more than the threat of a fine for non-compliance.
“That breach notification regime has arguably been the single biggest factor in forcing organisations to put proper incident response in place, get forensics providers on retainer, and start reporting breaches up to the board,” Phillips says. “A lot of that simply wasn’t happening before 2018, and it’s the part of GDPR that’s done the most work.”
Marco Eggerling, LL.M, security and trust officer EMEA and Asia, at robotic process automation vendor UiPath, says it would be a “mistake to read these annulments as courts clearing big tech.”
“In the Amazon case, the Luxembourg court upheld the substance of the violations and sent the matter back to the regulator,” Eggerling notes. “The fine fell because the authority skipped required steps, not because the conduct was found lawful.”
Eggerling adds: “The lesson for regulators is to build procedurally bulletproof decisions. The lesson for companies is that the underlying obligations have not moved an inch.”
Even within the EU there is a disparity in how regulations are understood and applied, making cross-border decisions about data and AI challenging.
“A lot of organisations lean towards the ‘lowest common denominator’ and adhere to the strictest governance and more conservative approaches in order to avoid the wrath of regulators,” says Caroline Carruthers, CEO and founder of global data consultancy Carruthers and Jackson.
The UK and EU apply stricter regulations than the US or China, so many organisations adhere to the stricter rules wherever they operate.
Due to their size and nature, “big tech” organisations tend to have a heightened appetite for risk and a desire to push the boundaries of regulations — and often a different relationship with the general public, whose data is the business model. “They have a vested interest in deregulation and so will naturally be the most likely to contest enforcement,” Carruthers notes.
Data regulations need to evolve with the advent of AI
For most organisations, the enforcement of GDPR has gotten to a place where it is broadly fit-for-purpose, according to Carruthers.
“When GDPR was first introduced, the guidance was unclear and inconsistent,” Carruthers explains. “It felt legally robust, but a lot of the data practitioners struggled to make it work. Even now, some businesses tell us that they are ‘paralysed’ a little by GDPR. They are highly fearful of data and the associated regulation, to the extent that they are unable to maximise — or even touch on — the potential power of data.”
However, as AI and data regulation evolves, there’s a need to account for how these tools are now being used.
The concern is that history may repeat itself as regulation looks to keep pace with technological change. “There is a risk that organisations get stuck in a mid-maturity plateau in which innovation is halted by complex and inconsistent interpretations of regulations,” Carruthers warns.