The best way to read enforcement actions is as product requirements written by regulators.
Recent GDPR (and EU privacy) enforcement actions: what’s getting regulators’ attention—and what to do about it
Across Europe, enforcement is no longer “a distant possibility”—it’s a steady drumbeat. By 1 March 2025, publicly tracked GDPR fines had reached ~€5.65B across 2,245 fine cases (with 2,560 total recorded cases when including entries with incomplete details), underscoring both volume and regulator confidence. While the biggest headlines still land on large tech platforms, recent actions show a broader pattern: security fundamentals, lawful basis & transparency, and vendor/processing governance are recurring fault lines.
Below are several recent, instructive enforcement actions (mostly GDPR; a couple are adjacent EU “cookie/ePrivacy” sanctions that often travel with GDPR expectations) and what they signal for privacy programs—especially for R&D and product teams building data-intensive capabilities.
1) Meta (Ireland): €91M over plaintext passwords, breach documentation & notification
In September 2024, Ireland’s Data Protection Commission (DPC) issued a €91M fine and a reprimand after finding Meta Platforms Ireland failed to (1) notify the authority of a personal data breach concerning passwords stored in plaintext, (2) document the breach properly, and (3) implement appropriate security measures for password processing (Articles 5(1)(f), 32(1), 33(1), 33(5)). The DPC emphasized a basic but non-negotiable principle: credentials are “particularly sensitive,” and controllers must evaluate risk and implement mitigating controls (including confidentiality safeguards).
Why it matters: Regulators are still finding “table stakes” security lapses—especially around authentication data—and they’re pairing technical findings with process failures (incident documentation, breach notification discipline).
Practical takeaway: If your incident response plan is strong on containment but weak on GDPR decisioning and documentation, you’re exposed. Align security runbooks with Article 33 notification thresholds and ensure breach logs are complete and auditable.
2) Spain: Informa D&B (€1.8M) for unlawful processing + failure to inform (data brokerage in B2B clothing)
Spain’s AEPD fined Informa D&B S.A. €1.8M for processing personal data without a valid legal basis and for failing to properly inform data subjects—then ordered it to cease processing, delete the data, and publish the sanction. Reporting on the case indicates the dataset included personal data of autonomous workers/business owners sourced through third parties, and the regulator challenged assumptions that “business contact data” is automatically lower risk or freely reusable for commercial purposes.
Why it matters: This is a blueprint for how regulators scrutinize data supply chains—especially where provenance, original purpose constraints, and Article 14 transparency are shaky.
Practical takeaway: For any purchased/partner-provided dataset (including “public” datasets), run a provenance and purpose-compatibility review: What was the original collection authority and purpose? What constraints follow the data? Can you meet Article 14 notice requirements or document why an exemption applies?
3) Spain: Marina Salud (€500K) highlights processor/subprocessor governance and transparency expectations
A separate Spanish enforcement example (April 2025) spotlighted processor governance: the AEPD fined Marina Salud €500K for issues tied to subcontracting/subprocessors without required authorization (GDPR Article 28(2)), compounded by resistance to disclosing relevant third-party contracts during the investigation. Commentary on Spanish enforcement trends shows the AEPD increasingly targets high-impact processing contexts (notably sensitive data and intrusive technologies), raising the stakes for governance and documentation.
Why it matters: Even when you’re “just the processor,” regulators expect crisp, provable control over subprocessing, and controllers expect the same—especially in healthcare and other special-category contexts.
Practical takeaway: Keep subprocessor inventories current, ensure contractual authorization flows exist (general vs. specific authorization), and operationalize a process to produce relevant agreements quickly during audits.
4) France (CNIL): Google (€325M) on consent UX + ads inserted among emails (ePrivacy/cookies—but highly GDPR-adjacent)
In September 2025, France’s CNIL announced €325M in fines against Google entities tied to (a) displaying ad-like messages inserted among Gmail emails without valid consent and (b) obtaining invalid consent for advertising cookies during account creation—where refusing personalized ads was harder than accepting, and users weren’t clearly informed that cookie placement conditioned service access. CNIL also ordered changes within six months and outlined daily penalties for delay—showing an appetite for behavior change, not just monetary penalties.
Why include this in a GDPR post? Technically, CNIL framed key parts under French rules implementing the ePrivacy regime (cookie and direct marketing rules), but the lessons map directly to GDPR expectations for “freely given” user choice and transparent design.
Practical takeaway: Audit consent friction (“reject” vs “accept” clicks), pre-consent tag firing, and whether product flows implicitly coerce consent. Regulators increasingly treat “choice architecture” as compliance-critical.
5) France (CNIL): SHEIN (€150M) for cookies set before consent + ineffective refusal/withdrawal (ePrivacy, again—same operational lessons)
CNIL also issued a €150M sanction against SHEIN for cookie practices including placing cookies before consent, incomplete information, and mechanisms that didn’t honor refusal/withdrawal choices effectively. The decision summary highlights enforcement continuity—CNIL has repeatedly sanctioned similar patterns, and it is comfortable scaling penalties with the massive scale of affected users.
Why it matters: “We have a banner” is not a defense if the site still drops trackers before the user acts or continues reading cookies after “رفض/Reject.”
Practical takeaway: Validate your CMP and tag manager behavior with technical testing: confirm no non-essential tags fire before consent, and confirm consent withdrawal actually disables downstream collection.
The bigger pattern: what regulators keep signaling (2024–2026)
A) Security basics + accountability process win (or lose) cases
Meta’s plaintext credential storage issues were paired with failures in breach notification and documentation—showing that regulators evaluate both controls and operational accountability. If your IR program can’t reliably evidence decision-making (timelines, thresholds, containment steps, notification logic), enforcement risk rises.
B) Lawful basis + transparency are being applied to data supply chains, not just first-party collection
Informa D&B illustrates how regulators interrogate source legitimacy, reuse constraints, and whether individuals are informed when data is acquired indirectly. This is especially relevant for organizations buying datasets for analytics, training, or enrichment—common in R&D environments.
C) Consent UX and “dark patterns” are enforcement magnets
CNIL’s actions against Google and SHEIN show regulators measuring “real choice,” not merely whether a banner exists. Even when enforcement is under ePrivacy rules, the operational message is aligned with GDPR’s expectations around fairness and user control.
D) Vendor/subprocessor governance is no longer paperwork—regulators expect it to work in practice
Marina Salud is a reminder that Article 28 controls must be operationally enforced, especially when sensitive data is processed and multiple subcontractors are in the chain. Documentation delays or inability to produce contracts can worsen outcomes.
A practical “do-this-next” checklist
Run a “credential & secrets” hardening sweep
Ensure passwords are never stored in plaintext; confirm hashing + access controls + monitoring; treat auth data as high sensitivity.
Tie security incidents to a GDPR-ready breach workflow (log, assess, decide, document, notify when required).
Stand up data provenance reviews for any third‑party dataset (including “public” or “B2B” sources)
Document original purpose, collection authority, onward-transfer rights, and constraints; confirm lawful basis for your use case and whether Article 14 notices are required.
Require vendors to provide provenance evidence—not just contractual assurances.
Audit consent experiences like a product team (because regulators do)
Measure clicks to accept vs reject; ensure “reject” is not buried; verify no pre-consent tags fire; verify withdrawal actually stops collection.
Add automated tests in CI/CD for tag firing behavior and consent state enforcement.
Operationalize subprocessor control
Maintain a live subprocessor list, authorization path, and rapid contract retrieval process (audit-ready).
For high-risk processing (health, biometrics, large-scale profiling), make subprocessor onboarding contingent on DPIA-aligned security and purpose checks. [
Use enforcement metrics to prioritize program investments
The scale of fines and the number of cases tracked through March 2025 is a signal: invest where enforcement clusters—security fundamentals, transparency, consent, and governance.
Track enforcement themes quarterly so your roadmap reflects regulator reality, not last year’s assumptions.
Closing: turn “headline risk” into “design requirements”
The best way to read enforcement actions is as product requirements written by regulators. Meta’s case shows how quickly security and incident governance lapses escalate. Spain’s data brokerage enforcement shows that “where did this data come from?” is now a first-order question. And CNIL’s cookie actions show that consent is increasingly judged by outcomes—what actually happens in the browser—not by policy language.