GDPR Enforcement Has Teeth: Reading the 2025 Rulings
For the first several years after GDPR went into effect, the gap between the regulation as written and the regulation as enforced was wide enough to ride a truck through. Penalties existed on paper, but most companies treated GDPR compliance as a paperwork exercise rather than a real business risk. That perception has now decisively shifted. The enforcement actions through 2024 and 2025 produced a body of decisions that makes the practical scope of the regulation much clearer, and the financial stakes have become large enough that boards are paying attention in a way they previously did not.
This is a survey of the patterns visible in the recent rulings and what they mean for organizations that have been treating GDPR as a checkbox.
Fines are no longer the only mechanism
The headline numbers from recent GDPR enforcement are familiar. Individual fines in the hundreds of millions of euros have become routine for large platforms. What is less appreciated is how often the operational remedies hurt more than the fine itself. Multiple supervisory authorities have ordered the suspension of data flows, the deletion of training datasets, the rebuild of consent infrastructure, and structural separation of business units. Those remedies cost more than the fines do, and they take longer to recover from.
The Irish Data Protection Commission’s actions against several major platforms over the last eighteen months illustrate the pattern. The fines have made the news, but the order to redesign consent flows across the entire European user base produced engineering programs that ran into multiple quarters and required senior executive sign-off. Similar orders from the French CNIL and the Italian Garante have followed the same shape.
For organizations that were sized for a fine but not for operational remediation, the surprise has been unpleasant. Setting aside a contingency reserve for a GDPR fine is straightforward. Setting aside the engineering capacity to rebuild a consent platform on a regulator’s timeline is not.
The legitimate interests defense has weakened
One of the more consequential trends in the recent rulings is the narrowing of the legitimate interests legal basis. For years, organizations leaned on legitimate interests to justify a wide range of processing where obtaining explicit consent would have been operationally painful. Several 2025 rulings rejected that interpretation for processing categories that supervisory authorities believe should be opt-in.
The pattern is most visible in two areas. Behavioral advertising and ad targeting have been repeatedly held to require explicit consent rather than legitimate interests, with the European Data Protection Board reinforcing that position in coordinated decisions. Workforce monitoring – employee productivity tools, location tracking on company devices, AI-driven performance analytics – has been the second area where legitimate interests was rejected, with regulators emphasizing the power imbalance between employer and employee.
The practical effect is that data protection impact assessments now require a much harder look at the legal basis question, and the default answer of “legitimate interests” no longer survives challenge. Organizations that built consent infrastructure for marketing but not for HR or workforce analytics are discovering that they need to extend it.
International transfers remain a moving target
The Schrems II era is technically over. The EU-US Data Privacy Framework provides a legal basis for transfers to certified US organizations. The framework is in force, transfers are happening, and the immediate crisis of 2020-2023 has subsided.
The challenge is that the framework is fragile in ways that no one quite trusts. Litigation challenging the framework is in progress. The Court of Justice of the European Union has not yet weighed in on the substantive challenges, and most observers expect at least some pieces of the framework to be revisited. Organizations that built compliance programs assuming the DPF would persist unchanged are taking on risk that is hard to quantify.
The pattern that survives across regulatory cycles is data minimization at the transfer point. Not transferring data is the only reliably defensible posture. Several large organizations have responded to this by regionalizing more of their data architecture – keeping EU data in EU infrastructure with EU-resident processing – not because they were required to, but because the alternative is to live with policy risk that does not feel manageable.
The AI angle is reshaping enforcement
AI systems have become a major focus of GDPR enforcement, and the regulatory thinking is more sophisticated than the early posture suggested. The arguments are not about whether AI is allowed under GDPR but about how the regulation applies to training data, model outputs, and automated decision-making.
The training data question has produced rulings that constrain how broadly personal data scraped from the web can be used for model training. The Italian Garante’s actions against several AI providers, and similar moves by the French CNIL, established that the absence of a specific legal basis for training data ingestion is a real problem rather than a theoretical one. Several providers have responded by introducing opt-out mechanisms, dataset filtering, and provenance tracking that did not exist a year ago.
The output question has produced a smaller but consequential set of decisions around the right to rectification of factually incorrect statements produced by AI systems. The early position that AI outputs are not personal data has not held. Where an AI system asserts incorrect information about an identifiable individual, supervisory authorities have generally held that the operator has obligations to correct it.
Automated decision-making, which has been part of GDPR since the beginning, is getting more attention as AI is deployed in higher-stakes contexts. The article 22 protections – the right not to be subject to a decision based solely on automated processing – are now being read more strictly. Organizations using AI for hiring, credit, or insurance decisions need to demonstrate either explicit consent or meaningful human review, and the bar for what counts as meaningful human review has risen.
Documentation has become the deciding factor
Across the rulings of the last two years, one pattern stands out for organizations trying to assess their own risk. The decisions that go against organizations almost always cite gaps in documentation. The decisions that go in their favor almost always involve organizations that could produce contemporaneous records of how they decided what they decided.
Data protection impact assessments, records of processing activities, vendor diligence files, and the documentation around consent mechanisms are the artifacts that regulators look for first. Organizations that have those artifacts up to date, even where the underlying processing is debatable, tend to receive softer remedies. Organizations that cannot produce the artifacts, even where the processing itself was defensible, end up with worse outcomes.
This points to a practical priority for any GDPR program. Spend the time to maintain the documentation. The regulator’s first question is rarely whether the processing was lawful in some abstract sense. It is whether the organization has thought about it carefully and recorded that thinking.
The DPO function has matured
Data Protection Officers in 2026 do work that looks meaningfully different from the role as it was originally constituted. The early DPO was often a compliance function tucked into legal or risk. The current generation of DPOs in companies that take this seriously sit closer to engineering, product, and security, because that is where the decisions that matter are actually made.
The DPO offices that have gained influence in their organizations tend to share a few traits. They review product features before launch rather than after. They have a seat on the security incident response process. They have direct access to senior leadership when escalation is needed. They run training that engineering teams actually find useful rather than the checkbox awareness modules of the early years.
For organizations whose DPO function still looks like a paperwork unit, the shift in enforcement intensity is uncomfortable. The DPO is increasingly the person who will be questioned by the regulator about how the organization made its decisions, and that conversation goes much better when the DPO was actually in the room.
What to expect over the next year
A few directions seem likely. The interplay between GDPR and the AI Act will produce coordinated enforcement, with supervisory authorities sharing methodology across the two regimes. Cross-border enforcement coordination through the European Data Protection Board will continue to tighten, reducing the forum-shopping that some organizations relied on. And the children’s data area, which has been a focus of several recent decisions, will probably see additional dedicated guidance and enforcement.
For organizations whose GDPR program was sized for the early enforcement era, the gap between current posture and current expectations is large enough that catch-up is worth budgeting for now, before a complaint or audit forces the issue at the worst possible time. The teams that treated the regulation as a serious operational constraint from the start are now noticeably less stressed than the ones who treated it as a paperwork exercise. The enforcement record of the last two years has made the difference visible.
About the Author
Ethan Cole is a technology writer and cybersecurity analyst focused on AI, cloud infrastructure, privacy, SaaS platforms, and enterprise technology. With more than a decade of experience covering digital transformation and emerging technologies, he specializes in translating complex technical topics into practical insights for businesses, developers, and decision-makers.
View all posts by Ethan