Billions in data protection fines remain unpaid

Billions of euros in data protection (GDPR) fines, especially against Big Tech, have been issued in recent years but only a tiny fraction has actually been paid so far. Most of the unpaid amounts are tied up in lengthy court appeals that delay enforcement.​

What has happened?

• Ireland’s Data Protection Commission (DPC), which leads many major Big Tech cases in the EU, has imposed about €4.04 billion in GDPR penalties since 2020, mainly on large technology companies.​

• Of this, only around €20 million has been collected, leaving more than €4 billion outstanding.​

• In 2025 alone, the DPC issued roughly €530 million in fines but collected just €125,000 so far.​

Why are fines not being paid?

• Under Irish law, the regulator generally cannot enforce collection while a fine is under legal appeal, so companies can delay payment by challenging decisions in Irish and EU courts.​

• Many of the largest fines are currently subject to complex, multi‑year litigation, including cases that may be influenced by a key ruling involving WhatsApp at the EU Court of Justice.​

Wider GDPR enforcement context

• Across Europe, total GDPR fines since 2018 run into several billions of euros, with records showing more than €5.6 billion imposed overall.​

• However, an NGO analysis of EU statistics found that only about 1.3% of data protection authority cases lead to any fine at all, indicating that formal penalties remain relatively rare compared to the volume of complaints.​

Why it matters

• The large gap between fines issued and fines paid raises questions about how effective GDPR enforcement is against powerful multinational firms.​

• Privacy advocates argue that sustained, collectable fines are one of the few tools that reliably push companies to improve compliance with data protection rules.​