Regulators across Europe and beyond moved from guidance, enforcement discretion and corrective measures to serious fines and more intrusive supervisory actions targeting unlawful international data transfers, weak consent mechanisms and poor governance. As we move into 2026, these developments send a clear message to organizations operating internationally – privacy and cyber security risks require proactive operational compliance and are a non-negotiable business priority.
2025: A Year Defined by High Impact Cases
In 2025, several matters set global benchmarks for enforcement scope, fine size and remediation expectations shifting to detailed scrutiny of how organizations implement privacy and security controls day to day, especially in complex, multinational environments.
TikTok
The Irish Data Protection Commission’s enforcement action against TikTok, where they issued a €530 million fine and ordered corrective measures following an inquiry into transfers of EEA User Data to China, highlighted ongoing regulatory concerns around international data transfers and the adequacy of safeguards where personal data may be accessed from outside the EEA. The case reinforced that contractual measures alone are not sufficient if organizations cannot evidence meaningful risk assessments, technical controls and oversight of cross-border access.
Unlawful cross-border transfer was also at the heart of the enforcement action against Dior under China Personal Information Protection Law (PIPL). Dior failed to comply with local export requirements, highlighting that China’s data transfer and localization rules are being actively enforced.
Vodafone GmbH
Another common theme for data protection authorities’ investigations was supplier and processor oversight. Germany’s BfDI imposed two penalties totaling €45 million on Vodafone GmbH, €15 million for failing to review and monitor partner agencies acting on its behalf and €30 million for authentication weaknesses that enabled unauthorized access to eSIM profiles, underscoring that controller liability extends deeply into sales channels and commissioned partners.
Generali
A similar message emerged in Spain, where the AEPD published sanctions against Generali (€4 million) following a breach exacerbated by third‑party broker access to ex‑customer data, and against Orange (€1.2 million) and ING (€1.6 million) for privacy‑by‑design and lawful‑basis failures in customer onboarding, highlighting access‑revocation, DPIA, and supplier governance gaps.
Mobius Solutions
In France, the CNIL fined Mobius Solutions Ltd (€1 million), a former Deezer subcontractor, for illicit retention and reuse of tens of millions of user profiles after contract termination and for security lapses that led to data appearing on the dark web, reinforcing the importance of post‑termination deletion, contract compliance, and independent audits of processors.
Capita
The UK ICO’s £14 million penalty against Capita for a 58‑hour lag in acting on a high‑severity alert, weak privilege segregation, and testing gaps put incident‑response readiness and security governance under scrutiny. The takeaway is similar: policy binders don’t suffice unless organizations can demonstrate timely detection and containment, robust access‑control architecture and continuous validation of controls in practice.
23andMe
Security failings resulted as well in a £2.31 million fine following the joint investigation by the ICO and the Privacy Commissioner of Canada into 23andMe. According to the ICO, the organization failed “to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information."
Transnational Cooperation
Beyond 23andMe UK-Canada collaboration, 2025 saw transnational cooperation become the default in investigations and enforcement: Norway’s Datatilsynet handled its Telenor case as a cross-border investigation, inviting comments from Sweden and Denmark before imposing orders and a NOK4 million fine for governance deficiencies; the ICO led a joint probe with Jersey, Guernsey and the Isle of Man into the Prospect/Bectu cyber incident, reflecting how authorities align when a single breach affects data subjects across multiple legal territories.
Across the pond, the California Privacy Protection Agency (CPPA) brought a number of enforcement actions under both California Consumer Privacy Act (CCPA) and the California Delete Act that highlighted several regulatory priorities. The CPPA penalized businesses for failure to provide functional opt-in/out mechanisms and collecting more data than necessary, emphasizing importance of data minimization. Honda agreed to change practices and pay $632,500 for obstructive rights‑request flows and non‑compliant opt‑out interfaces. Todd Snyder, Inc was fined $345,178 for not configuring its privacy portal and cookie banner resulting in a 40-day lag to process consumer opt-out requests and requesting more information from the consumers than necessary to process their privacy requests.
Children’s Data
Children’s data also drew sharper action in 2025. In the US, the Federal Trade Commission secured a $20 million COPPA settlement with Cognosphere (publisher of Genshin Impact), requiring stronger parental‑consent controls and clearer disclosures around in‑game “lootbox” mechanics and it filed a complaint against the Sendit app over alleged unlawful collection and deceptive practices affecting minors, signaling tougher scrutiny of products popular with young users.
Beyond individual cases, authorities coordinated their scrutiny through Global Privacy Enforcement Network (GPEN) 2025 global sweep on children’s privacy, collectively examining age‑assurance, transparency and default privacy settings in services used by minors—work that feeds directly into each regulator’s enforcement agenda. In Canada, the OPC flagged youth privacy as a key priority and reported joint investigations with provincial regulators into global platforms (including TikTok and OpenAI), underscoring that protection of minors is increasingly being tackled through multi‑authority investigations as well as penalties.
Your Action Plan Priorities For 2026
Practical implementation over paper compliance. Test‑run policies and procedures to ensure they can be executed under time pressure. Train staff so they know exactly what to do during change events or a breach.
International transfers. Document risk analyses, enforce technical/organizational safeguards and update privacy notices especially if staff in higher-risk jurisdictions can access EU/UK data.
Access security. Mandate MFA, password‑compromise checks, strong password policies, session monitoring, tiered admin privileges, and hardening against credential stuffing.
Third party assessment. Scrutinise your Article 28 assessment practices, conduct audits and ensure contracts contain clauses on security, sub-processors, breach notification and deletion/return of data.
Consent and honoring consumer choices. Honor opt‑out signals, design symmetrical choices, minimize friction for rights requests, audit cookies and test cookie banners for compliance.
Children’s data. Implement verifiable parental consent workflows and age‑assurance measures proportionate to risk; log and audit these flows.
