Are data protection fines effective?

Since May 2018, Ireland’s Data Protection Commission (DPC) has imposed fines of more than €4 billion on big tech firms but just €20 million of that has been paid (according to RTE, Ireland’s national public service broadcaster). Now the recent TikTok fine, a whopping €530 million, is also under appeal. So how effective are fines as a deterrent and as an incentive to compliance? Is damage to reputation, or a fall in the share price more worrying to the big players? Sometimes, a company, such as Vodafone, cooperates with the regulator, improves its processes and pays the fine.

The strong fining powers under the GDPR have not been used equally enthusiastically in all EU Member States. Looking at the very large fines, Ireland leads the pack. However, the DPC is also active in asking companies for clarifications before it acts. For example, when Meta informed the DPC in March 2024 of its plans to train its Large Language Model using public content shared by adults on Facebook and Instagram, the DPC asked Meta to pause. Since then, the European Data Protection Board (EDPB) has issued its Opinion on AI, and Meta has implemented improvements. It is also expected to report later this year on further measures taken. In Germany, the courts have now ruled that Meta is allowed to use publicly shared data from Facebook and Instagram to train its AI models without explicit consent.

GDPR simplification is now being discussed by all interested parties. While we wait for the EU’s potential action in addition to the modest changes in record-keeping, Director Monika Krasińska at Poland’s DPA has said that the problem does not lie in the GDPR regulations themselves, but in the Regulators’ inability to apply them in practice.

This sentiment is echoed by many. The DPAs say they aim to issue guidance that is more easily understood. The EDPB’s 3 July Helsinki declaration declared that the Regulators will develop common practices, methods, and tools and review guidelines to ensure their real-world effectiveness.

Laura Linkomies
Editor, Privacy Laws & Business

August 2025