{"id":8306,"date":"2026-05-29T07:00:00","date_gmt":"2026-05-29T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8306"},"modified":"2026-05-29T07:00:00","modified_gmt":"2026-05-29T07:00:00","slug":"gdpr-set-the-tone-for-regulatory-action-and-the-ai-fine-pushback-to-come","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8306","title":{"rendered":"GDPR set the tone for regulatory action \u2014 and the AI fine pushback to come"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Big tech firms continue to push back against fines levied for alleged violations of European data protection law, in what could be a harbinger for AI regulations to come.<\/p>\n<p>While lawyers and experts quizzed by CSO broadly argue that big tech firms contesting data protection rules isn\u2019t a particular cause for concern, the more widespread introduction of AI technologies is a far greater data protection challenge on the horizon.<\/p>\n<p>The EU\u2019s <a href=\"https:\/\/www.csoonline.com\/article\/562107\/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html\">General Data Protection Regulation (GDPR)<\/a> came into force eight years ago this week. Over those eight years, European regulators announced an estimated \u20ac7.1 billion in GDPR fines but nearly 40%, around \u20ac2.8 billion, has either already been annulled or is under active legal challenge, according to analysis by insurance brokerage Alliance Risk.<\/p>\n<p>Fines that have already been annulled include one against Amazon at \u20ac746 million (Luxembourg, March 2026) and another versus OpenAI at \u20ac15 million (Italy, March 2026). Those under active appeal include three fines against Meta (\u20ac1.2 billion, \u20ac265 million, and \u20ac91 million) and one against TikTok (\u20ac530 million).<\/p>\n<p>Alliance Risk used CMS Law GDPR Enforcement Tracker as its primary source for information on GDPR enforcement, cross-referenced against IAPP enforcement data and trackers from Kiteworks and UniConsent. Data on annulments came from reported court decisions.<\/p>\n<h2 class=\"wp-block-heading\">GDPR established a benchmark for breach notification<\/h2>\n<p>According to Alliance Risk, GDPR successfully laid the foundation for data protection law globally \u2014 particularly by first establishing the 72-hour breach notification standard.<\/p>\n<p>This three-day notification rule is law in six jurisdictions \u2014 EU, UK, Thailand, Kenya, Nigeria, and South Korea \u2014 and influential elsewhere. For example, the US CIRCIA rule for critical infrastructure, which is pending final rule publication this month, is due to apply the 72-hour standard.<\/p>\n<p>By comparison, HIPAA gives US healthcare organisations 60 days as a breach notification deadline. The SEC gives public companies four business days but only after they\u2019ve internally determined a breach is \u201cmaterial,\u201d which adds its own delay.<\/p>\n<p>Although the breach notification regulations established by GDPR have been a success, issues with the enforcement of rules remain.<\/p>\n<p>\u201cThe framework has structural weaknesses that large companies have learned to exploit in court, and nearly 40% of announced fines reflect that,\u201d according to Alliance Risk.<\/p>\n<p>The <a href=\"https:\/\/www.csoonline.com\/article\/1258597\/how-the-eu-ai-act-regulates-artificial-intelligence-and-what-it-means-for-cybersecurity.html\">EU\u2019s AI Act<\/a> reaches full application in August, and the European Commission is already proposing to reform GDPR through the Digital Omnibus. \u201cThe framework is being rewritten while it\u2019s still being tested,\u201d Alliance Risk concludes.<\/p>\n<p>\u201cThe fact that around 40% of GDPR fines by value are under challenge isn\u2019t necessarily a sign the system is broken,\u201d Nick Phillips, an intellectual property lawyer at Edwin Coe LLP tells CSO. \u201cEight years in, the bigger fines were always going to end up in court, and the rulings that come out of those appeals are starting to give in-house teams something they\u2019ve never really had before: practical guidance on what regulators can and can\u2019t defend.\u201d<\/p>\n<p>Phillips argues that achieving compliance with GDPR has improved enterprise security maturity because of the 72-hour breach notification rule coupled with the obligation to record all breaches and to notify data subjects combined with the need to improve security controls even more than the threat of a fine for non-compliance.<\/p>\n<p>\u201cThat breach notification regime has arguably been the single biggest factor in forcing organisations to put proper incident response in place, get forensics providers on retainer, and start reporting breaches up to the board,\u201d Phillips says. \u201cA lot of that simply wasn\u2019t happening before 2018, and it\u2019s the part of GDPR that\u2019s done the most work.\u201d<\/p>\n<p>Marco Eggerling, LL.M, security and trust officer EMEA and Asia, at robotic process automation vendor UiPath, says it would be a \u201cmistake to read these annulments as courts clearing big tech.\u201d<\/p>\n<p>\u201cIn the Amazon case, the Luxembourg court upheld the substance of the violations and sent the matter back to the regulator,\u201d Eggerling notes. \u201cThe fine fell because the authority skipped required steps, not because the conduct was found lawful.\u201d<\/p>\n<p>Eggerling adds: \u201cThe lesson for regulators is to build procedurally bulletproof decisions. The lesson for companies is that the underlying obligations have not moved an inch.\u201d<\/p>\n<p>Even within the EU there is a disparity in how regulations are understood and applied, making cross-border decisions about data and AI challenging.<\/p>\n<p>\u201cA lot of organisations lean towards the \u2018lowest common denominator\u2019 and adhere to the strictest governance and more conservative approaches in order to avoid the wrath of regulators,\u201d says Caroline Carruthers, CEO and founder of global data consultancy Carruthers and Jackson.<\/p>\n<p>The UK and EU apply stricter regulations than the US or China, so many organisations adhere to the stricter rules wherever they operate.<\/p>\n<p>Due to their size and nature, \u201cbig tech\u201d organisations tend to have a heightened appetite for risk and a desire to push the boundaries of regulations \u2014 and often a different relationship with the general public, whose data is the business model. \u201cThey have a vested interest in deregulation and so will naturally be the most likely to contest enforcement,\u201d Carruthers notes.<\/p>\n<h2 class=\"wp-block-heading\">Data regulations need to evolve with the advent of AI<\/h2>\n<p>For most organisations, the enforcement of GDPR has gotten to a place where it is broadly fit-for-purpose, according to Carruthers.<\/p>\n<p>\u201cWhen GDPR was first introduced, the guidance was unclear and inconsistent,\u201d Carruthers explains. \u201cIt felt legally robust, but a lot of the data practitioners struggled to make it work. Even now, some businesses tell us that they are \u2018paralysed\u2019 a little by GDPR. They are highly fearful of data and the associated regulation, to the extent that they are unable to maximise \u2014 or even touch on \u2014 the potential power of data.\u201d<\/p>\n<p>However, as AI and data regulation evolves, there\u2019s a need to account for how these tools are now being used.<\/p>\n<p>The concern is that history may repeat itself as regulation looks to keep pace with technological change. \u201cThere is a risk that organisations get stuck in a mid-maturity plateau in which innovation is halted by complex and inconsistent interpretations of regulations,\u201d Carruthers warns.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Big tech firms continue to push back against fines levied for alleged violations of European data protection law, in what could be a harbinger for AI regulations to come. While lawyers and experts quizzed by CSO broadly argue that big tech firms contesting data protection rules isn\u2019t a particular cause for concern, the more widespread [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8307,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8306"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8306"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8306\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8307"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}