Subscribe

Europe has fined companies €10.5 billion for breaking digital law.

Most of it wasn't anything dramatic. Most of it was a misconfigured cookie banner, a missing alt text, a fake countdown timer. Here is the data, visualised.

12,847 subscribers · Founders, DPOs, journalists
€10.51BTotal fines tracked across all EU directives
2,847Individual decisions logged from 31 regulators
€324MAverage monthly enforcement spend, 2025
+58%Year-over-year growth in fine volume
№ 01 — Latest enforcement

In the last seven days.

Three fresh decisions from three regulators, in three different sectors. The pace is not slowing.

Updated 4 min ago
2 days ago · France€325MGoogle Ireland Ltd.

CNIL ruled the consent mechanism on Google services failed to provide a clear "reject all" option equivalent to "accept all" — a violation of ePrivacy Article 5(3) and dark-pattern principles under UCPD.

CNIL · FranceGDPR
4 days ago · Italy€4.2MShein Distribution

AGCM imposed sanctions for fake countdown timers, manipulative scarcity indicators ("only 2 left in stock") with no inventory backing, and missing 30-day lowest-price disclosure required by Omnibus.

AGCM · ItalyOMNIBUS
6 days ago · France€180KAuchan Retail SA

First administrative penalty under the European Accessibility Act since enforcement began. DGCCRF cited 14 separate WCAG 2.1 violations on auchan.fr including missing alt text and unlabelled form inputs.

DGCCRF · FranceEAA
№ 02 — Geography

Where the fines come from.

A handful of regulators do most of the work. Spain leads in volume; Ireland leads in headline numbers; Germany leads in unpredictability.

Bubble size: total fines (€)
IE€2,847MFR€1,924MES€612MIT€485MDE€280MNL€98MPL€67MSE€48MBE€32MA continent of 31 regulators.

Top jurisdictions by total fines

  • 01IEIreland€2,847M
  • 02FRFrance€1,924M
  • 03ESSpain€612M
  • 04ITItaly€485M
  • 05DEGermany€280M
  • 06NLNetherlands€98M
  • 07PLPoland€67M
  • 08SESweden€48M
  • 09BEBelgium€32M
  • 22 others€117M
№ 03 — Timeline

The wave, month by month.

Enforcement intensifies as new directives come online. EAA arrived in June 2025. AI Act lands in August 2026. The slope only goes up.

24 months · May 2024 — Apr 2026
GDPRePrivacyEAAOmnibusDSAAI Act
€500M€375M€250M€125M€0May '24Sep '24Jan '25May '25Sep '25Jan '26May '26→ Aug '26EAA liveJUN 2025AI Act landsAUG 2026
№ 04 — Top offenders

The thirty largest fines, at scale.

Each rectangle is one enforcement decision, sized by amount, coloured by directive. Two companies account for nearly half of all enforcement.

Showing top 30 by amount
€1.2BMeta Platforms Ireland2023 · DPC IE · GDPR · Cross-border transfers
€746MAmazon Europe2021 · CNPD LU · GDPR
€405MMeta · Instagram2022 · DPC IE
€345MTikTok Ireland2023 · DPC IE
€325MGoogle Ireland2026 · CNIL FR
€290MMeta · WhatsApp2021 · DPC IE
€265MMeta · Facebook2022 · DPC IE
€200MX (Twitter)2025 · EC · DSA
€170MClearview AI2022 · Various
€150MShein2025 · DGCCRF FR
€90MGoogle · Ireland2022 · CNIL FR
€60MFacebook FR
€50MGoogle Spain
€45MAliExpress
€35MSpotify
€32MBooking.com
€28MVodafone DE
€22MCriteo
€20MClearview AI IT
€15MWish.com
€12M[expected '26]
€8M+ 23 first EAA fines
№ 05 — By directive

Six directives, one tracker.

GDPR still dominates, but ePrivacy and Omnibus are growing fastest. EAA is brand new. AI Act is loaded and waiting.

Sparkline: 24-month trend
GDPRGeneral Data Protection Regulation · Active since May 2018€6.84BTotal fines tracked
Decisions
2,184
Avg fine
€3.1M
YoY
+34%
ePrivacyePrivacy Directive · Active since 2002€2.18BTotal fines tracked
Decisions
487
Avg fine
€4.5M
YoY
+62%
EAAEuropean Accessibility Act · Active since Jun 2025€4.2MTotal fines tracked
Decisions
27
Avg fine
€156K
YoY
NEW
OmnibusUnfair Commercial Practices · Active since May 2022€312MTotal fines tracked
Decisions
98
Avg fine
€3.2M
YoY
+87%
DSADigital Services Act · Active since Feb 2024€245MTotal fines tracked
Decisions
14
Avg fine
€17.5M
YoY
+340%
AI ActAI Act · Live August 2026 — 4 months€0No fines yet · be the first to know
Decisions
0
Max fine
€35M / 7%
Status
WAITING
№ 06 — The interesting question

Could a scanner have caught it?

For every fine in the tracker, we ask: would Compliwatch's automated scanner have detected the violation before the regulator did? The answer is: most of the time, yes.

Across 2,847 tracked fines

Two out of three fines were preventable.

67%

Of the 2,847 fines we track, 1,907 involve violations our automated scanner would catch on first contact with the website. Missing alt text. Cookie banner without a reject button. Fake countdown timer. Privacy policy that omits required clauses. The kind of things you only find out the hard way.

  • Auto · 67%Detectable automatically by the Compliwatch scanner
  • Hybrid · 18%Detectable in context — we surface the risk, human verifies
  • Manual · 15%Requires human review — internal processes, intent assessment
№ 07 — In the records

This month's full register.

Every fine logged in the last 30 days. With short summaries and the verdict: would we have spotted it.

12 of 84 fines shown
  • GDPRFrance26 Apr 2026

    Google Ireland

    €325,000,000

    CNIL fined Google for a cookie consent mechanism that made "reject all" significantly harder to access than "accept all" — a dark pattern violating ePrivacy Article 5(3).

    Detectable by scanner
  • EAAFrance22 Apr 2026

    Auchan Retail

    €180,000

    First EAA enforcement action in France. DGCCRF identified 14 separate WCAG violations on auchan.fr — missing alt text, insufficient colour contrast, unlabelled form inputs.

    Detectable by scanner
  • OMNIBUSItaly24 Apr 2026

    Shein Distribution

    €4,200,000

    AGCM sanctioned Shein for fake countdown timers that reset on refresh, false scarcity indicators ("only 2 left in stock"), and missing 30-day lowest-price disclosure required by Omnibus.

    Detectable by scanner
  • GDPRGermany19 Apr 2026

    Vodafone Deutschland

    €12,400,000

    BfDI ruled that the legacy customer database retained personal data for 11 years past the contractual retention period. Insufficient deletion procedures.

    Internal process — partial detection
  • EPRIVACYSpain17 Apr 2026

    Glovo App

    €2,800,000

    AEPD ruled Glovo's tracking SDKs activated before consent was obtained, and "essential cookies" classification included Facebook Pixel and Google Analytics.

    Detectable by scanner
  • DSAEU15 Apr 2026

    AliExpress

    €48,000,000

    European Commission imposed a periodic penalty for failure to assess and mitigate systemic risks related to illegal product listings — DSA Article 34.

    Platform-level — needs review
  • EAANorway12 Apr 2026

    HelsaMi health portal

    NOK 50,000/day

    Difi imposed daily coercive penalties for accumulating accessibility violations in a public health portal — keyboard navigation broken, screen reader incompatibility.

    Detectable by scanner
  • OMNIBUSPoland9 Apr 2026

    Allegro.pl SA

    €1,250,000

    UOKiK ruled certain sellers on Allegro displayed reference prices that had never been the actual price — violating Omnibus Article 6a "lowest 30-day price" rule.

    Detectable by scanner
  • GDPRNetherlands7 Apr 2026

    Booking.com BV

    €8,500,000

    Dutch DPA found the company delayed breach notification by 17 days after a security incident affecting 4,109 customer records.

    Process violation — undetectable
  • EPRIVACYFrance4 Apr 2026

    Shein Distribution Fr.

    €150,000,000

    CNIL ruled Shein deployed third-party trackers (TikTok Pixel, Meta Pixel, Google Ads) before any user consent, on a site visited monthly by 12M French users.

    Detectable by scanner
  • GDPRItaly2 Apr 2026

    Enel Energia

    €5,200,000

    Garante fined the energy provider for unsolicited marketing calls relying on consents collected by third-party brokers without sufficient verification.

    Telephony — not scannable
  • OMNIBUSSweden1 Apr 2026

    Klarna Bank

    €2,100,000

    Konsumentverket ruled the "Buy Now Pay Later" checkout flow used dark patterns to nudge consumers toward the credit option without proper risk disclosure.

    Detectable by scanner
View the full register
№ 08 — How this works

Methodology, in brief.

All data is sourced from primary documents — official regulator decisions, press releases, and published rulings. No paywalls, no scraping of commercial databases.

  1. 01

    Source

    Decisions are pulled directly from regulator websites — CNIL, AEPD, AGCM, ACM, UOKiK, Bundesnetzagentur, the European Commission and 24 others.

  2. 02

    Extract

    Each decision passes through an extraction pipeline: structured fields (company, amount, date, articles violated) are parsed and translated into a common schema.

  3. 03

    Classify

    Violation types are tagged against the Compliwatch taxonomy of 100+ technical checks. Each fine is then mapped to "detectable by automated scan: yes / partial / no".

  4. 04

    Publish

    Verified entries are published with a link to the original source. Errors and corrections are versioned and credited. All amounts are converted to EUR at the date-of-decision rate.

Get every new fine in your inbox Monday morning.

What was fined last week. Who fined whom. Whether Compliwatch would have caught it. Read in three minutes.

12,847 subscribers · Founders, DPOs, journalists