Skip to content

GDPR Fines Under Pressure: Tech Giants Challenge Penalties in Court

The Bottom Line: Large technology companies are systematically contesting European GDPR fines in court, with significant implications for the implementation of AI regulation.

Approximately 40 percent of GDPR fines imposed over eight years are subject to legal challenge or have already been annulled. This trend points to upcoming challenges in enforcing the EU AI Act.

Since the General Data Protection Regulation came into force eight years ago, European regulators have announced an estimated 7.1 billion euros in GDPR fines. According to an analysis by insurance broker Alliance Risk, approximately 2.8 billion euros (just under 40 percent) have already been annulled or are subject to active legal proceedings. Among the fines already overturned are an Amazon penalty of 746 million euros (Luxembourg, March 2026) and a fine against OpenAI of 15 million euros (Italy, March 2026). Under active appeal are three Meta fines (1.2 billion, 265 million, and 91 million euros) as well as a TikTok fine of 530 million euros.

Nick Phillips, intellectual property lawyer at Edwin Coe LLP, does not view the challenge rate as a sign of a defective system. After eight years, it is normal for the larger fines to go to court, and the resulting judgments are providing compliance teams with practical guidance for the first time on which regulatory requirements are actually enforceable. Alliance Risk, by contrast, diagnoses structural weaknesses: the GDPR framework has vulnerabilities that large companies are systematically exploiting in court.

A central achievement of the GDPR remains the globally established 72-hour breach notification requirement. This rule is directly binding law in six jurisdictions (EU, United Kingdom, Thailand, Kenya, Nigeria, South Korea) and influences other standards – such as the pending US CIRCIA rule for critical infrastructure, which also provides for the 72-hour deadline. By comparison, the US data protection regulation HIPAA grants the healthcare sector 60 days, while the SEC gives publicly traded companies four business days, but only after internal determination of a breach’s materiality.

The notification requirement has demonstrably created incentives for improved corporate security. Phillips notes that it was specifically the combination of the 72-hour notification requirement, the obligation to document all incidents, and the requirement to notify affected individuals that forced organizations to establish proper incident response processes, contractual relationships with forensic providers, and escalation to board level. These practices were often lacking before 2018. The EU AI Act reaches full applicability in August 2024, while the European Commission is simultaneously reforming the GDPR through the Digital Omnibus. Alliance Risk concludes: The regulatory framework is being rewritten while it is still being tested.


Source: www.csoonline.com · Published 29 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.8.

Share on: