Skip to main content

Global data risk

The biggest fines, the most active authorities – and the conduct in the spotlight

Personal data has become a critical source of value – and regulatory risk – for businesses. The threat is particularly stark in Europe where the advent of the General Data Protection Regulation (GDPR) has altered the landscape dramatically.

In this report we examine the evolution of GDPR enforcement, identifying the most active EU authorities and those that levy the biggest fines. We take a deeper dive into the decisions themselves to reveal how agencies treat different types of misconduct and how they calculate penalties. And we look at fines issued under the GDPR alongside penalties handed out by the world’s hardest-hitting authorities to build a global picture of data enforcement.

Introduction and methodology

This study looks at all penalties levied by EU data protection authorities (DPAs) under the GDPR from its inception to February 2021. We have set this enforcement activity in context by compiling a list of the 100 biggest data fines issued across Europe and north America - where the world’s harshest sanctions originate – between 2017 (the year before the GDPR came into force) and February 2021. In Europe, our analysis includes penalties issued under member states’ national data protection and e-commerce laws.

In addition we have overlaid insights on the emerging threat of data-related litigation and explored wider regulatory trends across the world, including Brexit and its impact on the UK’s data protection landscape.