The EU’s General Data Protection Regulation (GDPR) came into force eight years ago this week. Over those eight years, European regulators announced an estimated €7.1 billion in GDPR fines but nearly 40%, around €2.8 billion, has either already been annulled or is under active legal challenge, according to analysis by insurance brokerage Alliance Risk.
Fines that have already been annulled include one against Amazon at €746 million (Luxembourg, March 2026) and another versus OpenAI at €15 million (Italy, March 2026). Those under active appeal include three fines against Meta (€1.2 billion, €265 million, and €91 million) and one against TikTok (€530 million).
Alliance Risk used CMS Law GDPR Enforcement Tracker as its primary source for information on GDPR enforcement, cross-referenced against IAPP enforcement data and trackers from Kiteworks and UniConsent. Data on annulments came from reported court decisions.
GDPR established a benchmark for breach notification
According to Alliance Risk, GDPR successfully laid the foundation for data protection law globally — particularly by first establishing the 72-hour breach notification standard.
