Brian Daigle, Mahnaz Khan


The European Union (EU) General Data Protection Regulation (GDPR) was enacted in May 2016 with a two-year implementation period that concluded in May 2018. Since then, EU member states and regional-level data protection authorities (DPAs) have issued over $500 million in fines. Although EU DPAs issued few fines for noncompliance in the first year of implementation, DPAs have subsequently acted much more aggressively against noncompliant firms. This paper will explore the broad trends in investigation and enforcement across the EU in the 21 months following GDPR implementation. These trends include a preliminary analysis of differences in GDPR enforcement in specific EU member states, the GDPR provisions that are most emphasized in enforcement, and the nature of the fines imposed on U.S. and EU-based firms. As of March 2020, the largest fines and enforcement actions under GDPR had occurred principally in Western European countries, with a split between enforcement against both U.S. and EU firms.