GDPR Enforcement Trends 2024-2026: From Warnings to Billion-Euro Fines

The Evolution of GDPR Enforcement: From Warnings to Substantial Penalties

Since its enforcement began on 25 May 2018, the General Data Protection Regulation (GDPR) has transformed from a regulatory framework met with initial warnings and guidance into a regime with significant financial teeth. The 2024 annual report from noyb (none of your business), a prominent European privacy advocacy group, underscores this shift, revealing that its work has contributed to administrative fines totaling €1.69 billion. This evolution reflects a maturing enforcement landscape where Data Protection Authorities (DPAs) across the EU are moving beyond educational outreach to imposing penalties that materially impact corporate behavior. As we approach the regulation's eighth year, enforcement is becoming more targeted, sophisticated, and cross-border in nature, with a clear focus on systemic violations affecting fundamental rights.

This analysis examines the key enforcement themes emerging from recent high-profile cases and noyb's advocacy, providing businesses with actionable insights to strengthen their GDPR compliance posture ahead of anticipated 2026-2027 priorities.

Consent Violations and the 'Pay or Okay' Model Scrutiny

The legality of so-called "Pay or Okay" or "cookie consent" models, where users must either pay for a service or consent to extensive data processing for advertising, has become a major enforcement battleground. A pivotal case involves the Austrian newspaper Der Standard. Initially, the Austrian DPA permitted such models, leading to their proliferation across the EU. However, the authority has since partially reversed its stance, now requiring that users must be able to consent or refuse specific data processing individually, rather than facing an all-or-nothing choice.

Key issues identified include:

• Economic Proportionality: Subscription fees (e.g., €96/year for Der Standard) are often 10-100 times higher than the ad revenue generated from a user, raising concerns that the fee effectively coerces consent and undermines the fundamental right to data protection.
• Implementation Clarity: It remains unclear how publishers can design a compliant subscription model that is not economically or administratively impractical while respecting granular consent requirements.

The German Data Protection Conference (DSK) has also raised concerns, and noyb has pending complaints against German media providers. The Der Standard decision is being appealed, potentially leading to a landmark ruling from the European Court of Justice that could standardize cookie consent practices EU-wide.

Compliance Takeaways for Consent

• Ensure Granularity: Consent mechanisms must allow users to accept or reject different types of data processing (e.g., analytics, personalized ads) independently. Pre-ticked boxes or bundled consent are non-compliant.
• Assess Fee Fairness: If using a "Pay or Okay" model, critically evaluate whether the subscription fee is proportionate to the value of the data processing avoided. Document this assessment.
• Prioritize Transparency: Clearly explain what data is collected, for what purposes, and how it is used in simple language before obtaining consent.

Cross-Border Data Transfers: A High-Stakes Compliance Frontier

Cross-border data transfers remain one of the most complex and risky areas under GDPR. Enforcement is active on two fronts: transfers to the United States and transfers to countries like China.

For EU-US transfers, the legal landscape was shaped by the CJEU's ruling in case C-311/18 (Schrems II), which invalidated the Privacy Shield adequacy decision and emphasized that Standard Contractual Clauses (SCCs) alone are insufficient if the recipient country's laws (like US surveillance programs) undermine the protection they guarantee. Data exporters must conduct transfer impact assessments (TIAs) and implement supplementary measures where necessary.

In 2024, noyb escalated enforcement against transfers to China, filing GDPR complaints against six major Chinese tech companies: TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. The complaints allege violations of GDPR Articles 44 and 46, arguing that China's legal framework does not provide an "essentially equivalent" level of data protection to the EU, as its laws do not limit government access to data. The potential fines are staggering—up to 4% of global annual turnover, which could equate to approximately €1.35 billion for a company like Temu.

Compliance Takeaways for Data Transfers

• Map All Data Flows: Maintain a comprehensive record of processing activities (ROPA) that identifies all international data transfers.
• Conduct Rigorous TIAs: For any transfer outside the EU/EEA, assess the legal framework of the destination country and the practical risks to the data. Do not rely solely on SCCs without supplementary technical or contractual measures if risks are identified.
• Prepare for Scrutiny: Transfers to jurisdictions with broad government surveillance powers (US, China, Russia) will face the highest regulatory scrutiny. Be prepared to justify the legal basis and safeguards.

Automated Decision-Making: Enforcing Article 22's Prohibitions

GDPR Article 22 provides individuals with the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. Enforcement in this area is intensifying, particularly in financial services.

A clear example is the 2024 action by the Austrian Data Protection Authority (DSB) against credit information agency KSV1870 and energy provider Unsere Wasserkraft. The DSB found that KSV1870's fully automated credit scoring, which led to the automatic rejection of a customer's energy contract application, violated Article 22. The authority issued a processing ban, prohibiting such automated checks without the data subject's explicit consent, and reprimanded both companies for lack of transparency. This follows a similar 2023 CJEU ruling against German credit agency SCHUFA.

Compliance Takeaways for Automated Decisions

• Implement Human Review: Ensure that systems producing consequential decisions (credit, hiring, insurance) have meaningful human intervention before a final decision is made.
• Secure Explicit Consent or Identify Another Exception: If using solely automated processing, you must have the data subject's explicit consent or demonstrate it is necessary for a contract or authorized by EU/member state law. Consent must be freely given and specific.
• Enhance Transparency: Inform individuals about the logic involved, the significance of the automated decision, and the envisaged consequences, as required by Articles 13-15.

Data Subject Rights: Enforcement Challenges and Access Requests

The practical enforcement of data subject rights (DSRs), like the right of access (Article 15), reveals significant friction between companies and regulators. Two cases highlight ongoing challenges:

• Spain (AEPD & Virgin Telco): noyb appealed a decision where the Spanish DPA sided with Virgin Telco's refusal to provide a customer with their location data, citing data retention laws for law enforcement. The AEPD provided no legal reasoning, raising concerns about DPA transparency and the primacy of GDPR access rights over national data retention obligations.
• Sweden (IMY & Spotify): The Swedish DPA refused to decide on a GDPR complaint against Spotify for incomplete responses to access requests, arguing the data subject is not a "party" to the enforcement procedure under Article 77. noyb has appealed to the Stockholm Administrative Court, challenging this interpretation which undermines individuals' ability to enforce their rights.

These cases demonstrate that while the rights are clear, their practical vindication can be obstructed by corporate pushback and varying DPA interpretations.

Compliance Takeaways for Data Subject Rights

• Streamline DSR Processes: Establish clear, efficient workflows to respond to access, deletion, and correction requests within the one-month deadline. Automate where possible.
• Justify Any Refusal: If refusing a request, provide a clear, specific legal justification (e.g., manifestly unfounded, excessive) and inform the individual of their right to lodge a complaint with a DPA.
• Train Staff: Ensure customer-facing and legal teams understand DSR obligations to avoid dismissive or incorrect responses that trigger complaints.

Children's Privacy: A Growing Enforcement Priority

Protecting children's data is a heightened priority for regulators. A significant 2024 complaint by noyb targets Microsoft's 365 Education services in the EU/EEA. The complaint alleges Microsoft violates GDPR by:

• Shifting Controller Responsibility: Designating schools as data controllers while denying them actual control over the systems, making it impossible for schools to comply with GDPR obligations like fulfilling access requests.
• Lacking a Valid Legal Basis: Tracking children using cookies for behavioral analysis and advertising without valid consent or another lawful basis.
• Providing Opaque Documentation: Offering vague, complex privacy notices that make it impossible for users, parents, or even legal professionals to understand data processing practices.

This case underscores the strict scrutiny applied to services used by minors and the importance of vendor management for organizations that rely on third-party processors.

Compliance Takeaways for Children's Privacy

• Conduct Specific DPIAs: Perform Data Protection Impact Assessments for any processing likely to target or be accessed by children.
• Verify Vendor Compliance: When using third-party services in educational or child-focused contexts, conduct thorough due diligence. Contracts must clearly delineate controller/processor roles and responsibilities.
• Use Age-Appropriate Transparency: Provide privacy information in clear, plain language that children can understand. In the US, also consider state laws like California's Age-Appropriate Design Code.

Leveraging Technology for Proactive GDPR Compliance

Navigating this complex and dynamic enforcement landscape requires more than manual checklists. Organizations must adopt proactive, technology-enabled strategies to monitor compliance across multiple jurisdictions. Platforms like AIGovHub offer data privacy monitoring tools that help organizations track regulatory changes, assess their compliance posture against evolving standards, and manage vendor due diligence across their data processing ecosystem. By centralizing intelligence on GDPR and related US state privacy laws (like CPRA, VCDPA, TDPSA), such tools enable compliance teams to move from reactive firefighting to strategic governance.

Predictions for 2026-2027 Enforcement Priorities

Based on current trends, enforcement will likely intensify in these areas:

1. AI and Data Exploitation: Building on noyb's 2024 complaints against Meta and Twitter (X) for training AI on user data, regulators will closely scrutinize the lawful basis and transparency of using personal data for AI model development. This intersects with the EU AI Act, which classifies AI in employment and credit scoring as high-risk.
2. Cross-Border Transfers to "High-Risk" Jurisdictions: Enforcement against data transfers to China, Russia, and other states with perceived inadequate protections will increase, potentially leading to the first multi-billion euro fines.
3. Systemic Transparency Failures: As seen in the Netflix (€4.75M fine) and Microsoft Education cases, regulators will penalize companies for overly complex, vague, or misleading privacy notices that hinder user understanding.
4. Enforcement of Data Subject Rights: DPAs may take a more uniform approach to compel companies to comply with access and deletion requests, reducing the current enforcement arbitrage between member states.
5. Intersection with Other Regulations: GDPR enforcement will increasingly interact with the Digital Services Act (DSA), the AI Act, and ePrivacy rules, creating a layered compliance challenge.

Key Takeaways and Actionable Steps

• Consent is not a commodity: Ensure it is freely given, specific, informed, and unambiguous. Scrutinize "Pay or Okay" models for fairness and granularity.
• Treat data transfers as high-risk: Conduct thorough transfer impact assessments and implement supplementary measures where the recipient country's laws pose a risk.
• Audit automated decision systems: Ensure human review for consequential outcomes and provide clear explanations to data subjects.
• Prioritize data subject rights processes: Streamline responses and avoid unjustified refusions that attract regulatory complaints.
• Apply heightened safeguards for children's data: Use age-appropriate transparency and conduct strict vendor due diligence.
• Invest in compliance intelligence: Use regulatory monitoring tools to stay ahead of enforcement trends and jurisdictional nuances.

To assess your organization's readiness for these evolving challenges, consider using tools like AIGovHub's GDPR compliance assessment tool, which can help identify gaps in your data protection program relative to current enforcement priorities.

This content is for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel to address their specific compliance obligations.