An analysis of landmark GDPR enforcement actions from 2021 to 2024, including record-breaking fines against Meta, Amazon, and TikTok, and the accelerating trend toward stricter scrutiny of transatlantic data transfers by European Data Protection Authorities.
Since the General Data Protection Regulation (Regulation (EU) 2016/679) became enforceable on 25 May 2018, enforcement was initially criticised as slow and toothless. That perception changed dramatically from 2021 onward. In July 2021, the Luxembourg National Commission for Data Protection (CNPD) imposed a €746 million fine on Amazon Europe Core for processing personal data for targeted advertising without a valid legal basis. The decision, adopted under the EDPB's Article 65 dispute resolution mechanism, remains one of the largest data-protection penalties ever levied.
The pace accelerated in 2022 and 2023. Ireland's Data Protection Commission (DPC) fined Meta Platforms Ireland Limited €405 million in September 2022 for Instagram's handling of children's data, followed by a €390 million fine in January 2023 for Facebook and Instagram's reliance on "contractual necessity" as a legal basis for behavioural advertising. Then, on 22 May 2023, the DPC issued the landmark €1.2 billion fine against Meta for continuing to transfer EU personal data to the United States in violation of the CJEU's Schrems II judgment (Case C-311/18). The decision also ordered Meta to suspend US-bound transfers within five months.
TikTok was not spared either. In September 2023, the DPC fined TikTok Technology Limited €345 million for violations relating to the processing of children's personal data, including default public account settings and the "Family Pairing" feature. These cases demonstrate that regulators are increasingly willing to impose fines near the GDPR's statutory maximum of 4% of global annual turnover.
Transatlantic data transfers have been the single most contentious area of GDPR enforcement. The saga began with the CJEU's invalidation of the EU-US Safe Harbor framework in Schrems I (Case C-362/14, October 2015), continued with the invalidation of the Privacy Shield in Schrems II (Case C-311/18, July 2020), and culminated in the €1.2 billion Meta fine.
In response, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) on 10 July 2023 (Implementing Decision (EU) 2023/1795). The DPF relies on Executive Order 14086, signed by President Biden in October 2022, which introduced proportionality requirements for US signals intelligence and established a Data Protection Review Court. However, privacy advocates—most notably Max Schrems' organisation noyb—have signalled their intent to challenge the DPF before the CJEU, arguing that the executive order's safeguards are insufficient and revocable.
Meanwhile, organisations relying on Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914 face an ongoing obligation to conduct transfer impact assessments (TIAs). The EDPB's recommendations on supplementary measures (adopted June 2021) set a high bar, requiring technical safeguards such as end-to-end encryption where the data importer cannot access keys.
One of the persistent criticisms of GDPR enforcement has been the "bottleneck" effect created by the one-stop-shop mechanism, under which the supervisory authority in the Member State of a company's main establishment acts as lead authority. In practice, this concentrated enforcement for most large tech companies in Ireland and Luxembourg. The Irish DPC, in particular, faced heavy criticism from other DPAs for delays in processing cases.
The EDPB's Article 65 dispute resolution procedure has become a crucial corrective tool. Under this mechanism, the EDPB can adopt binding decisions when DPAs disagree on cross-border cases. The Board used this power in the Amazon, Meta, and WhatsApp cases to push the lead DPA toward higher fines and stricter interpretations. In 2023, the European Commission proposed reforms to GDPR procedural rules (COM(2023) 348) specifically to streamline cross-border enforcement, give complainants more procedural rights, and harmonise the handling of complaints.
National DPAs have also ramped up domestic enforcement independently:
The enforcement trends have direct implications for organisations choosing cloud and data-processing infrastructure in Europe. First, the regulatory risk associated with storing or processing EU personal data in US-hosted environments remains material, even under the DPF. Organisations in regulated sectors—particularly financial services, healthcare, and government—are increasingly adopting data residency strategies that keep personal data within the EU or EEA as a risk-mitigation measure, irrespective of the legal mechanism used for transfers.
Second, the sheer scale of recent fines has elevated GDPR compliance from a legal function to a board-level concern. Enterprises are factoring DPA enforcement risk into procurement decisions, favouring cloud providers that offer EU-resident data processing, transparent subprocessor chains, and contractual commitments aligned with EDPB guidance. Hyperscale providers have responded: Microsoft, Google, and Amazon have all announced sovereign cloud offerings or EU data boundary commitments.
Third, the increasing alignment between DPAs—driven by the EDPB consistency mechanism and proposed procedural reforms—means that enforcement outcomes are becoming more predictable but also more uniformly strict. Organisations can no longer rely on forum-shopping between Member States as a strategy. The direction of travel is clear: fines are growing, enforcement is coordinating, and data transfer obligations are tightening. Infrastructure decisions made today must account for where this regulatory trajectory leads over the next three to five years.
The largest GDPR fine to date is the 1.2 billion euro penalty issued by the Irish Data Protection Commission against Meta in May 2023 for unlawfully transferring EU personal data to the United States in violation of the Schrems II ruling.
Major US tech companies have faced record GDPR fines totalling over 4.5 billion euros by end of 2024. The core issue is that US surveillance laws like FISA 702 and the CLOUD Act create structural conflicts with GDPR data protection requirements, making full compliance difficult for US-headquartered providers.
GDPR violations can result in fines of up to 4% of global annual turnover. Enforcement has accelerated since 2021, with regulators increasingly willing to impose near-maximum penalties for systemic violations, particularly around transatlantic data transfers.