Last year, some hefty fines were issued, often to repeat offenders. We review the largest penalties dished out in 2026 so far and the breaches behind them.
With two months of the year behind us, there has already been a considerable number of penalities issued. Free Mobile and Free have collectively seen a €42m fine and the ICO has made headlines, issuing Reddit a penalty for concerning child age checks. We investigate the breaches behind the fines so that your company can avoid similar penalties.
Top GDPR fines in 2026
We continuously track the largest data protection fines throughout the year and have highlighted the biggest GDPR fines of all time.
What are the biggest GDPR fines in 2026?
1. Free Mobile - €27m fine
GDPR breaches - Art. 5 (1) e), Art. 32
France’s data protection authority, the CNIL, fined Free Mobile €27 million for failing to adequately protect subscriber data under the EU’s General Data Protection Regulation (GDPR). This fine was part of a larger €42 million sanction following a significant data breach, with Free Mobile receiving the largest share due to the severity of its violations.
The CNIL investigation found multiple GDPR breaches. Free Mobile had weak security practices: remote work systems lacked robust VPN authentication, and tools to detect abnormal system activity were ineffective. The company also retained former subscribers’ personal data, including bank account identifiers, for far longer than necessary, and failed to notify affected customers properly after the breach.
Although emails were sent, they did not explain the consequences or provide guidance on protecting personal information, as GDPR requires. The fine followed a cyberattack in October 2024 that exposed sensitive information for around 24 million customer contracts.
Complaints from over 2,500 affected individuals triggered CNIL’s inspection and eventual sanctioning of Free Mobile and its parent company, Free, with the bulk of the penalty targeting Free Mobile due to its direct responsibility for the lapses.
In summary, Free Mobile’s €27 million penalty highlights the CNIL’s strict enforcement of GDPR rules regarding data security, retention, and breach notifications, especially when a large volume of sensitive customer information is at stake.
2. Reddit - £14.5m fine
The UK’s data protection regulator has fined the social network Reddit £14 million for failing to properly protect children on its platform. The Information Commissioner’s Office (ICO) found that Reddit did not have effective age-verification systems in place to check the ages of its users. As a result, it was processing the personal information of children under 13 unlawfully, potentially exposing them to harmful or inappropriate content online.
Regulators noted that Reddit did not complete a required risk assessment before introducing new age checks in mid-2025. Previously, the platform had relied on users simply declaring their age, which the ICO deemed insufficient under UK law. This failure to implement proper safeguards put children at risk and violated the country’s child safety and data protection rules.
The fine is one of the largest penalties issued so far under the UK’s regulations on online safety and privacy for minors. Reddit has stated that it plans to appeal the decision, arguing that implementing stricter age checks can conflict with user privacy goals.
3. Free - € 15m fine
GDPR breaches - Art. 32, Art. 34
France’s data protection authority, CNIL, has fined Free €15 million for serious GDPR violations linked to a large 2024 data breach. While Free Mobile bore the larger share of the penalty (€27 million), Free itself was specifically targeted for failings related to its fixed-line customer data, which was exposed during the incident.
The breach, which began through a weak VPN and access to Free Mobile’s subscriber management system MOBO, also compromised Free’s fixed-line subscriber records. CNIL found that Free failed to adequately secure its systems, communicate the breach to affected customers, and properly manage or delete old customer data. These lapses contributed to the exposure of millions of personal and financial records.
The €15 million fine highlights that even the parent company of a major telecom can be held accountable for cybersecurity weaknesses and regulatory non-compliance. CNIL’s action serves as a warning that GDPR obligations extend across all divisions, not just the mobile operations, and that insufficient safeguards can carry serious financial consequences.
4. France Travail - €5m fine
GDPR breaches - Art. 32
The French data protection authority, CNIL, fined France Travail €5 million after a 2024 data breach exposed sensitive personal information of job seekers. Attackers accessed accounts of partner advisers from CAP EMPLOI using social engineering, obtaining details such as national insurance numbers, email and postal addresses, and phone numbers for individuals registered over the past 20 years.
CNIL's investigation found that France Travail had identified necessary security measures but failed to implement them effectively. Weak access controls, insufficient authentication, and inadequate monitoring allowed the breach to occur, putting a large number of people at risk.
The authority cited the scale of the breach, the sensitive nature of the data, and France Travail's failure to act on known risks when deciding the fine. In addition to the penalty, the organisation must submit a corrective plan to CNIL, with potential daily fines of €5 000 if it does not comply.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
Written by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
