The General Data Protection Regulation (GDPR), Europe’s personal data protection law, came into force in 2018. Since then, European regulators have issued a total of 2,825 fines, with cumulative penalties exceeding €6 billion ($7 billion).
As the latest data compiled by Finbold shows, the GDPR enforcement authorities remained strict in the first quarter of 2026, imposing a total of €68.18 million ($73.63 million) in fines between January 1 and March 31.
In other words, companies found in breach of GDPR provisions paid approximately €757,600 ($886,000) per day during the first three months of the year. Over that period, France and the U.K. were responsible for 94% of all fines, with the former imposing €47 million ($54.95 million) and the latter €16.89 million ($19.74 million) in penalties.
Poland took the bronze, with €2.94 million ($3.43 million), while spots four and five were reserved for Sweden and the Netherlands, with €565,000 ($660,660) and €250,000 ($292,317), respectively.
The biggest GDPR fines in Q1 2026
A number of large GDPR penalties marked the first quarter. Unsurprisingly, given the data above, France and the U.K. were behind most of them.
The biggest one involved Free Mobile, a French telecommunications company, which was sanctioned by CNIL on January 13 due to issues with subscriber data security. In the end, it paid a fee of €27 million ($31.52 million).
A similar issue led to the second-biggest penalty on February 23, when Reddit received a €16 million ($18.69 million) fine from U.K.’s Information Commissioner’s office (ICO) for failing to protect underage users’ data.
The third- and fourth-largest fines were also imposed by France. On January 8, Free, the parent branch of Free Mobile, paid €15 million ($17.52 million) for insufficient technical and organisational measures. Some time later, on January 22, France Travail, a governmental agency, was fined €5 million ($5.84 million) for failing to secure job seeker information.
Also worth mentioning are the €2.68 million ($3.13 million) paid on February 5 by DPD Polska, a Polish forwarding company charged with insufficient data processing.
E.U. privacy laws stricter than last year
Looking at past data, it appears that European data protection regulators have significantly stepped up their enforcement activity in 2026. Namely, the €68.18 million ($73.63 million) in total fines in the first quarter marked a sharp increase from the €13.8 ($16.12 million) imposed during the same period in 2025.
The nearly 400% surge underscores a renewed push by GDPR authorities to crack down on privacy violations, as scrutiny over how companies handle personal data continues to intensify not just in the E.U. but the entire European Economic Area (EEA).
Insufficient legal basis for data processing remains the most common violation, so far attracting 849 fines, worth € 2.99 billion ($3.49 billion) in total. While France and the U.K. have dominated the previous quarter, Spain remains the overall leader, with 1060 to its name since the law came into effect.
Sector-wise, media, telecommunication, and broadcasting remain the most affected, their total fines currently amounting to €4.97 billion ($5.8 million). Among the highest individual crackdowns, Meta Platforms’ (NASDAQ: META) €1.2 billion ($1.3 billion) penalty imposed by Ireland in May 2023 remains unchallenged.
Featured image via Shutterstock
Source: https://finbold.com/gdpr-fines-hit-e68-million-in-q1-2026-as-france-and-u-k-drive-surge/
