The Media, Telecoms and Broadcasting sector remains the sector in which by far the highest total amount of fines has been imposed since the GDPR entered into force. This is partly due to record fines such as the EUR 1.2 billion fine imposed on Meta Platforms Ireland Limited back in May 2023 and is also attributable to the fact that the revenue of companies in this sector—which serves as the basis for calculating the fines—is often extremely high.
In total, new fines imposed in the sector in 2025 amounted to roughly EUR 957 million, spread across 50 fines. The highest fine was again issued by the Irish Data Protection Authority (DPC), followed in second place by the French CNIL, with the Italian, Croatian, and Spanish authorities coming next. The fine imposed by the DPC against TikTok is the third-highest fine ever imposed and the second-highest in the sector since the GDPR came into effect.
Key numbers
Let's take a closer look
- The Irish Data Protection Authority (DPC) fined TikTok Technology Limited EUR 530 million in May 2025. This consisted of a fine of EUR 485 million for the unlawful transfer and storage of personal data of users of the TikTok platform in the EEA and a fine of EUR 45 million for failing to inform the data subjects about the data transfer (ETid-2584). The DPC stated in its reasoning that TikTok had failed to verify, guarantee and demonstrate that the data of EEA users, to which TikTok employees in China had remote access, enjoyed a level of protection that was essentially equivalent to that guaranteed within the EU. Consequently, TikTok had also failed to address the potential access of Chinese authorities to the data based on Chinese laws, including laws related to counterterrorism and counterespionage. Furthermore, TikTok’s privacy policy—which was amended during the course of the investigation—did not specify the countries to which personal data were transferred, nor did it explain the nature of the processing operations constituting the transfer. Even though TikTok stated that it had since deleted the affected data, the DPC also ordered TikTok to bring its data processing into compliance with the GDPR within six months or it would face suspension of data transfers to China.
- In September 2025, the French Data Protection Authority CNIL imposed fines totalling EUR 325 million on Google, consisting of a fine of EUR 200 million against Google LLC and a fine of EUR 125 million against Google Ireland Limited (ETid-2862 and ETid-2863). The CNIL found that user consent, which was required under French laws to display advertisements in the form of emails in the “Promotions” and “Social” tabs of Gmail users who had enabled “smart features” has not been obtained. Furthermore, until October 2023, it had been more difficult for users to refuse cookies for personalised advertising than to accept them when creating a Google account, which is why the consent given by the user was not voluntary and therefore invalid. Even after this change, users were not clearly informed that consenting to the use of cookies was a prerequisite for using Google’s services. The CNIL also ordered Google to take measures to cease the violations within six months, threatening to impose another penalty if it failed to do so. The investigation was triggered by a complaint filed in 2022 by the NGO None Of Your Business (NOYB).
- In April 2025, the Italian Data Protection Authority (Garante) imposed a fine of EUR 5 million on the US company Luka Inc., which offered an AI chatbot named Replika that could serve as a conversational partner for users in roles such as a friend, therapist or romantic partner (ETid-2611). The fine was imposed due to various deficiencies in Replika’s privacy policy and the company's inability to demonstrate the legal basis on which it relied for processing. Furthermore, the service did not include a mechanism for verifying the age of its users. Garante also ordered the company to remedy the identified deficiencies.
Main takeaways
Compliance hotspots
- Insufficient legal basis for data processing
- Data transfers to third countries
- Transparency
Outlook
It is safe to assume that the compliance hotspots outlined above, in particular, will continue to be of great importance in the future.
The selection of transparency obligations as the topic for the EDPB’s coordinated enforcement action in 2026 shows that companies should be particularly vigilant when it comes to transparency obligations—specifically, in the design of their privacy policies. The citation of abstract legal bases without a concrete reference to the specific processing operations carried out could, particularly in light of the decision against Luka, potentially lead to more frequent criticism from supervisory authorities in the future.
Companies should also continue to exercise particular caution regarding cross-border data transfers and conduct the required transfer impact assessments in a detailed and thorough manner so that they can demonstrate compliance to supervisory authorities.
