GDPR Becomes Enforceable
After a two-year transition period, the General Data Protection Regulation (EU) 2016/679 became fully enforceable, replacing the 1995 Data Protection Directive. It introduced sweeping new rights for EU individuals — including rights of access, erasure, portability and objection — and imposed obligations on any organisation processing EU personal data, regardless of where that organisation is based. Maximum fines were set at €20 million or 4% of global annual turnover, whichever is higher.
Full GDPR regulation text →First Big Tech Fine: Google €50M (CNIL, France)
France's CNIL issued the first significant GDPR fine against a US tech giant — €50 million against Google LLC. The decision found that Google lacked a valid legal basis for personalised advertising and failed to provide transparent, easily accessible information about its data use. The case was brought by NOYB and La Quadrature du Net. It set the precedent that GDPR enforcement would target fundamental data practices, not just data breaches.
CNIL press release →Schrems II: CJEU Invalidates EU–US Privacy Shield
The Court of Justice of the EU issued its landmark ruling in Data Protection Commissioner v Facebook Ireland (Case C-311/18), invalidating the EU–US Privacy Shield framework. The court found that US surveillance laws — particularly FISA 702 and Executive Order 12333 — do not meet EU fundamental rights standards and cannot be remedied by contractual safeguards alone. Standard Contractual Clauses remained valid but required individual Transfer Impact Assessments for each data transfer. This ruling disrupted thousands of businesses relying on Privacy Shield.
CJEU judgment →European Commission Publishes New Standard Contractual Clauses
The Commission published modernised SCCs for international data transfers (Commission Implementing Decision 2021/914), replacing the older 2001/2004 versions. The new SCCs feature a modular structure covering all four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. Crucially, they incorporated requirements to conduct Transfer Impact Assessments (TIAs) and, if necessary, implement supplementary measures. Organisations had 18 months to migrate existing contracts.
Commission SCCs page →WhatsApp Fined €225M After First EDPB Article 65 Decision
Ireland's DPC initially proposed a lower fine for WhatsApp's transparency violations, but other European DPAs objected and triggered the EDPB's binding dispute resolution mechanism under Article 65 GDPR for the first time. The EDPB's binding decision forced the Irish DPC to significantly increase the fine to €225 million. This case established an important precedent for how the one-stop-shop co-operation mechanism works in practice, and showed that other DPAs can escalate disagreements.
EDPB Article 65 Decision →Meta (Instagram) Fined €405M for Children's Data
The Irish DPC fined Meta €405 million over Instagram's handling of child users' accounts — including public-by-default settings for accounts of users aged 13–17, which exposed their phone numbers and email addresses. The decision reinforced GDPR's strict requirements around children's data (Article 8), the principle of data protection by design and default (Article 25), and transparency obligations. It was one of the first major GDPR actions focused specifically on child users.
DPC press release →Meta Receives Record €1.2B Fine for US Data Transfers
The Irish DPC fined Meta €1.2 billion — the largest GDPR fine ever issued — for unlawfully transferring EU personal data to the United States in violation of the Schrems II judgment. Meta had continued to rely on Standard Contractual Clauses without implementing adequate supplementary measures despite the CJEU's ruling in 2020. Meta was ordered to suspend future transfers and bring existing ones into compliance within five months. Meta subsequently appealed the decision in Irish courts.
DPC decision →EU–US Data Privacy Framework Adopted
The European Commission adopted a new adequacy decision for the EU–US Data Privacy Framework, establishing the third mechanism for personal data to flow freely from the EU to certified US companies. Key improvements over the invalidated Privacy Shield included the establishment of the Data Protection Review Court — an independent redress body for EU individuals to challenge US government access to their data — and new binding safeguards for US intelligence agencies. Privacy advocates, including NOYB, have already signalled challenges to the framework at the CJEU.
Adequacy decision →EU AI Act Enters Into Force
The EU AI Act — the world's first comprehensive AI regulatory framework — entered into force, creating a risk-based system for AI regulation. It intersects significantly with GDPR: high-risk AI systems that process personal data must comply with both regulations simultaneously. Key overlaps include data governance requirements (AI Act Article 10), transparency to individuals (GDPR Articles 13–14), and automated decision-making rights (GDPR Article 22). Full application of most provisions begins in August 2026.
AI Act full text →LinkedIn Fined €310M for Advertising Data Violations
Ireland's DPC fined LinkedIn €310 million for processing personal data for targeted advertising without a valid legal basis. The investigation found that LinkedIn incorrectly relied on legitimate interests, consent, and contractual necessity across different advertising processing activities — making it one of the most comprehensive rulings on the interplay between GDPR legal bases and behavioural advertising. LinkedIn was ordered to bring its processing into compliance within a set timeframe.
DPC press release →