Get Started

The Intent and Reason behind Regulatory Fines across multiple Industry Sectors

July 28, 2025 - Selfcomplai
Saumya Bhandari

Saumya Bhandari

Co-Author & Editor

Head of AI

Mokshya Dahal

Mokshya Dahal

Co-Author

Finance Analyst

Abstract

The General Data Protection Regulation (GDPR) and related EU regulatory frameworks, including the Digital Markets Act (DMA), Digital Services Act (DSA), and competition laws, impose stringent standards across industries to protect consumer rights, ensure market fairness, and promote transparency. This paper examines the "what" and "why" of GDPR fines and other penalties in the technology, finance and banking, and hospitality and tourism sectors. In technology, GDPR fines target violations like improper data transfers and lack of transparency, as seen in cases against Meta (€1.2 billion) and Amazon (€746 million), while the DMA and DSA address market dominance and online content issues. The finance and banking sector faces fines under MiFID II, AMLDs, and PSD2 for non-compliance with transparency, anti-money laundering, and secure payment regulations, driven by the need for financial stability and consumer protection. In hospitality and tourism, GDPR and competition law fines address data breaches and anti-competitive practices, alongside consumer protection laws like the Package Travel Directive, to ensure trust and fairness. These regulations reflect the EU’s broader goals of safeguarding privacy, fostering competitive markets, and asserting digital sovereignty, using fines as tools to enforce compliance and drive innovation.


Image generated by AI

General Data Protection Regulation (GDPR)

The GDPR is a cornerstone of EU data privacy law, establishing stringent standards for the processing of personal data. Its core obligations revolve around the lawful processing of personal data, ensuring transparency with data subjects, obtaining valid and informed consent, implementing robust security measures, and upholding data subject rights such as access, rectification, and erasure (Intersoft Consulting, n.d.). Violations can lead to substantial fines, reaching up to €20 million or 4% of an undertaking's total global annual turnover, whichever is higher. The term "undertaking" is interpreted broadly to encompass the entire economic unit, including parent companies and subsidiaries, which has profound implications for large multinational corporate groups (Intersoft Consulting, n.d.).


The underlying purpose of GDPR fines is to safeguard the fundamental right to privacy for EU citizens and ensure the responsible and ethical handling of personal data in the digital age (Oro, n.d.). This aims to build trust in the digital economy, recognizing that effective data protection is crucial for both individual rights and market confidence. The regulation promotes accountability among organizations processing personal data, ensuring that they prioritize data security and individual control over personal information.

A. Technology Sector: Data Privacy, Digital Markets, and Fair Competition

The technology sector, characterized by its rapid innovation and pervasive influence, is a primary focus of EU regulatory scrutiny. The imposition of fines in this sector reflects the EU's commitment to safeguarding fundamental rights, ensuring fair market dynamics, and asserting regulatory control over the digital space.


Illustrative examples of GDPR fines highlight the diverse nature of violations:


  • Meta Platforms Ireland Limited received a record €1.2 billion fine for transferring EU/EEA user data to the US without proper consent, violating international transfer regulations (Enforcement Tracker, n.d.).
  • Amazon Europe Core S.à.r.l. was fined €746 million for non-compliance related to data processing without proper consent (Enforcement Tracker, n.d.).
  • WhatsApp faced a €225 million penalty for not providing users with sufficient information about their data usage and for unclear privacy policies (Oro, n.d.).
  • H&M incurred a €35.3 million fine for unlawful collection and storage of employee information, discovered after a technical error exposed the data (Oro, n.d.).
  • Google LLC was fined €60 million by the French CNIL for insufficient transparency, control, and consent regarding the processing of personal data for behavioral advertising (Enforcement Tracker, n.d.).
  • TIM received a €27.8 million fine for using and storing customer data without authorization (Oro, n.d.).

These cases underscore the importance of transparency, proper consent management, and robust data security measures in handling personal data (Oro, n.d.).

Digital Markets Act (DMA) & Digital Services Act (DSA)

The DMA and DSA represent newer legislative frameworks specifically designed to address the unique challenges posed by dominant digital platforms. The Digital Markets Act aims to make markets in the digital sector fairer and more contestable by establishing clear "do's and don'ts" for large digital platforms designated as "gatekeepers" (European Commission, n.d.). These obligations include allowing third parties to inter-operate with gatekeepers' services, providing business users access to generated data, and preventing self-preferencing of the gatekeeper's own services. Prohibitions include preventing consumers from linking to businesses outside their platforms or tracking end users for targeted advertising without effective consent (European Commission, n.d.). Fines under the DMA can reach up to 10% of the company's total worldwide annual turnover, or 20% in the event of repeated infringements (European Commission, n.d.).


The Digital Services Act, on the other hand, focuses on regulating illegal content, hate speech, disinformation, and false advertisement more effectively online, essentially making "what is illegal offline illegal online" (Seattle University, 2022). It imposes obligations on online platforms to conduct risk assessments, provide transparency reports on content moderation, and bans practices like targeted advertising based on sensitive categories or aiming for minors, as well as "dark patterns" (Seattle University, 2022). Non-compliance with the DSA may result in penalties as high as 6% of the company's global annual turnover (Seattle University, 2022).


The necessity behind these regulations stems from a desire to address the power imbalance created by dominant tech platforms, foster innovation by ensuring a level playing field for smaller rivals, protect user choice, combat harmful and illegal content, and enhance transparency and accountability in the digital space (European Commission, n.d.). The emergence of DMA and DSA, alongside GDPR, with their specific focus on "gatekeepers" and regulating online content and behavior, suggests a broader strategic goal beyond mere market regulation. While the EU insists these regulations are neutral tools to promote fair competition, the consistent application of these laws to predominantly US tech firms points to an underlying ambition to assert regulatory control over the digital space and potentially foster European digital champions. This indicates the EU's desire for "digital sovereignty" and shaping global digital standards. The progression from GDPR (focused on data privacy) to DMA and DSA (focused on market power, content, and systemic risks) demonstrates the EU's dynamic regulatory approach, adapting to evolving market dynamics and identifying new legislative tools to address emerging market failures. This positions fines not as barriers, but as enablers of a more dynamic and competitive ecosystem.


Illustrative examples of fines under these new acts include:


  • Apple was fined €500 million under the DMA for its "anti-steering" rules, which prevented app developers from informing customers about alternative, potentially cheaper, purchase options outside the App Store (Clover, 2025).
  • Meta received a €200 million fine under the DMA for its "consent or pay" model on Facebook and Instagram, which the Commission found did not provide a free, equivalent alternative that involved less intrusive processing of personal data for targeted advertising (Zulhusni, 2025).
  • An investigation into X (Twitter) under the DSA was reportedly stalled, highlighting the political sensitivities and complexities that can arise in the enforcement of these new digital regulations (Windwehr, 2025).

Competition Law (Antitrust)

EU competition law is a robust regime designed to promote fair competition and prevent anti-competitive practices across all sectors, including technology. It prohibits anti-competitive agreements, such as cartels, price-fixing, and market sharing, as well as the abuse of dominant positions (European Commission, n.d.). Fines for breaching competition rules can be substantial, with a maximum limit of up to 10% of a company's total worldwide turnover in the preceding business year (European Commission, n.d.). The severity of the penalty is influenced by factors such as the gravity and duration of the infringement, and cooperation with the European Commission can lead to reductions (Lee, 2025).


The purpose of these fines is to maintain a level playing field for businesses, prevent market fragmentation, ensure consumer benefits (such as lower prices, greater choice, and innovation) through effective competition, and protect the integrity of the EU's single market (European Commission, n.d.). Restrictions to parallel trade, for example, are seen as illegally fragmenting the internal market, preventing consumers from benefiting from greater choice and potentially leading to higher prices (A&L Goodbody, 2024).


Notable examples of competition law fines include:


  • Google has faced over €8 billion in antitrust fines, including a €4.34 billion penalty for abusing its dominant position with the Android operating system (Lee, 2025).
  • Pierre Cardin and Ahlers were fined €5.7 million for anti-competitive agreements that restricted cross-border trade within the EU's internal market, aiming for absolute territorial protection (A&L Goodbody, 2024).
  • A group of truck manufacturers received a €2.93 billion fine for participating in a cartel that lasted 14 years (Lee, 2025).
  • Maritime car carriers were collectively fined €395 million for anti-competitive behavior (Haukeli & Langseth, 2019).

These enforcement actions demonstrate the EU's commitment to ensuring that digital markets remain open and competitive, preventing the unfair accumulation of power by dominant players and fostering an environment conducive to innovation and consumer welfare.

B. Finance and Banking Sector: Stability, Transparency, and Crime Prevention

The financial and banking sector is subject to extensive EU regulation, driven by the imperative to maintain market stability, ensure transparency, and prevent financial crime. The regulatory framework, and the fines associated with its breaches, are crucial for safeguarding the integrity of the financial system and protecting investors and consumers.


Markets in Financial Instruments Directive II (MiFID II)

MiFID II is a comprehensive legislative framework established by the European Union to regulate financial markets and enhance investor protection (Eze Castle Integration, n.d.). It applies to a wide range of financial institutions, including investment firms, market operators, and trading venues. Key requirements include promoting transparency in trading by moving it from "dark pools" to regulated platforms, ensuring financial products and services are suitable for clients, mandating detailed pre- and post-trade disclosures, and requiring firms to execute orders to achieve the "best possible result" for clients (Eze Castle Integration, n.d.). Comprehensive transaction reporting and robust product governance structures are also mandated to minimize mis-selling practices (Eze Castle Integration, n.d.).


The directive's purpose is deeply rooted in the need to standardize financial practices across the EU and restore confidence in the industry, particularly in the aftermath of the 2008 financial crisis (European Parliament, 2014). It aims to enhance investor protection by reducing conflicts of interest, ensure market efficiency through increased transparency, and provide regulators with better oversight to reduce the risk of financial instability (Eze Castle Integration, n.d.). MiFID II seeks to balance the need for privacy in large transactions with the market's need for transparency, ultimately fostering fairer competition among service providers and protecting investors from hidden fees. This post-crisis regulatory overhaul reveals that significant financial regulations are often a direct response to systemic failures or crises, representing a concrete effort to prevent a recurrence of past economic instability and to rebuild public trust in a critical sector.

Anti-Money Laundering Directives (AMLDs)

The EU has adopted a series of Anti-Money Laundering Directives (AMLDs), including 5AMLD and 6AMLD, to combat money laundering and terrorist financing. These directives impose stringent obligations on financial institutions and other "obliged entities," requiring them to conduct customer due diligence, monitor transactions, and report suspicious activities (Financial Crime Academy, 2025). The directives have broadened in scope, increased sentencing for money laundering crimes (to a minimum of 4 years imprisonment), and extended criminal liability to legal persons like companies (Financial Crime Academy, 2025). Non-compliance can result in severe financial penalties, with fines of up to €5 million or 10% of total annual turnover, whichever is higher (Financial Crime Academy, 2025).


The fundamental "why" behind AMLD fines is to prevent the misuse of the financial system for illicit activities such as money laundering and terrorism financing (Financial Crime Academy, 2025). This contributes to global security, preserves the integrity and stability of the financial system, and supports sustainable growth (European Commission, n.d.). The severity of these penalties underscores the seriousness with which the EU views AML compliance, sending a clear message that adherence is mandatory (Financial Crime Academy, 2025). The link between financial integrity and global security is a high-level consideration. It elevates the purpose of AMLD fines beyond mere financial compliance to a matter of national and international security. Non-compliance in this sector has far-reaching implications, funding illicit activities that undermine societal stability, thus providing a compelling reason for the severity and necessity of these regulations.

Revised Payment Services Directive (PSD2)

The Revised Payment Services Directive (PSD2), an update to the original 2007 directive, aims to make online payments more secure while supporting competition in financial services (Stripe, 2024). Key mandates include stronger customer authentication (SCA) for most online transactions, requiring multi-factor authentication to minimize fraud (Stripe, 2024). Crucially, PSD2 also requires banks to open their payment services and customer data to authorized third-party providers (TPPs) through "open banking" initiatives, with customer consent (Stripe, 2024).


The objectives of PSD2 are multi-faceted: to foster innovation and competition in retail payments by enabling new players (fintech companies) to enter the market, enhance the security of online transactions, strengthen consumer protection (e.g., immediate refunds for unauthorized transactions, control over financial data), and create a more integrated and efficient European payments market by standardizing payment regulations across the EU (Stripe, 2024). PSD2's mandate for "open banking" represents a proactive shaping of the market to encourage innovation and competition from fintech companies. The regulation creates a new framework that allows for innovative financial products and services that were previously impossible or highly restricted, reframing regulation not as a burden, but as a catalyst for new economic activity and consumer benefit.

General Banking Regulation Enforcement

Beyond sector-specific directives, the European Commission actively monitors the transposition and application of general banking and finance directives by EU countries. This includes overseeing the free movement of capital and initiating infringement cases where non-compliance is identified (European Commission, n.d.). Enforcement also extends to cross-border debt claims and insolvency regimes, where the EU has introduced frameworks like the Recast Brussels Regulation and the EC Regulation on insolvency to ensure an ordered regime for companies with affairs extending into more than one EU Member State (Alston & Bird, n.d.). These measures aim to provide mechanisms for the recognition of security interests and the enforcement over, and recovery of, a debtor's assets anywhere in the EU, thereby enhancing financial stability and legal certainty across the Union (Alston & Bird, n.d.). The role of compliance in financial services is to promote and maintain transparency and integrity of the financial markets and protect customers, investors, the economy, and society as a whole from financial crime, market manipulation, ethical threats, and systemic risk (Steel Eye, n.d.).

C. Hospitality and Tourism Sector: Consumer Rights and Fair Practices

The hospitality and tourism sector, a vital component of the European economy, is subject to EU regulations primarily focused on consumer protection, fair practices, and ensuring a high standard of service across borders. Fines in this sector reinforce consumer trust and market integrity.

Consumer Protection Laws

EU consumer protection laws are designed to ensure truthful advertising, fair terms in contracts, and the right for consumers to access goods and services on the same terms as local consumers (European Consumers Centre Network, n.d.). These laws aim to protect consumers from unfair commercial practices and provide recourse for damages. For widespread breaches, these laws can impose significant penalties, reaching GDPR-level fines of up to 4% of a company's total annual turnover in the affected Member State(s) or €2 million if turnover information is unavailable (Taylor Wessing, 2019). They also ensure that consumer rights apply even when personal data, rather than money, is exchanged for digital content or services, such as in loyalty programs or online booking platforms (Pinsent Masons, 2018).


The underlying purpose is to protect consumers from deceptive practices, ensure transparency (e.g., clearly informing consumers about the identity of the party with whom they are concluding a contract on online marketplaces), and adapt consumer rights to the evolving digital economy (Pinsent Masons, 2018). This fosters trust in cross-border transactions, which are highly prevalent in the tourism sector. A consistent theme across these laws is the empowerment of the consumer, going beyond simple protection from harm to actively granting rights like collective redress, clear information, and cancellation rights. This suggests that consumer welfare and autonomy are fundamental values underpinning EU regulatory action in this sector. Furthermore, the extension of consumer laws to cover situations where "personal data, rather than money, is exchanged" is a crucial adaptation to the changing nature of economic transactions in the digital age, ensuring that consumer protections remain relevant and effective.

Package Travel Directive

The modernised Package Travel Directive (Directive (EU) 2015/2302) updates older rules to adapt traveler protection to contemporary market and technological developments (European Commission, n.d.). It covers not only traditional package holidays but also self-customized packages, where travelers choose different elements from a single point of sale online or offline (European Commission, n.d.). The directive ensures clearer information for travelers regarding prices and additional charges, provides stronger cancellation rights, and establishes clear rules on liability, refunds, and repatriation in the event of an organizer's bankruptcy (European Commission, n.d.).


The "why" behind this directive is to ensure consumer safety and financial security in travel arrangements, particularly given the complexities of multi-component holidays and cross-border transactions. It also aims to make it easier for travel businesses to offer services across borders by harmonizing rules (European Commission, n.d.). The European Commission actively enforces this directive, as illustrated by its decision to refer Ireland to the Court of Justice of the EU for failing to transpose these rules into national law, proposing significant daily fines and lump sums based on the seriousness, duration, and the Member State's capacity to pay (European Commission, n.d.). This demonstrates the EU's commitment to ensuring member states uphold these critical consumer protections.

Cross-cutting Regulations (GDPR, Competition Law)

The hospitality and tourism sector is also significantly impacted by cross-cutting EU regulations like GDPR and competition law.


  • GDPR: The hospitality sector extensively collects and processes guest data, including booking details, preferences, payment information, and sometimes passport scans. Non-compliance with GDPR in this context can lead to fines for data breaches, lack of proper consent for data processing, or insufficient security measures. For instance, a Spanish DPA imposed a fine on OCI CINE, S.L. (a cinema, which handles customer data similarly to hospitality venues) for insufficient technical and organizational measures leading to temporary customer data access (Enforcement Tracker, n.d.). Uber also received a substantial €290 million fine in the Netherlands for GDPR-related issues (Enforcement Tracker, n.d.).
  • Competition Law: EU competition rules apply to travel agencies, airlines, hotels, and tour operators to prevent anti-competitive practices that could harm consumers or smaller businesses. This includes prohibitions against price-fixing, market sharing, or the abuse of dominant positions (European Commission, n.d.). While specific examples for hospitality were not provided, the fines against major banks for sharing sensitive pricing information (e.g., Citi, HSBC, Morgan Stanley, Royal Bank of Canada fined over £100 million for sharing information on UK government bonds) illustrate the type of anti-competitive behavior that could also occur in the tourism sector, leading to similar penalties (SkillCast, 2025).

The application of both sector-specific and cross-cutting regulations illustrates the layered nature of EU regulation. Fines in this sector can arise from data privacy breaches or anti-competitive practices that affect the travel market. This implies that businesses in this sector must navigate a complex web of regulations, and compliance requires a holistic understanding of how various EU laws intersect and apply to their operations.

Broader EU Tourism Policy

Beyond specific regulations, broader EU tourism policy aims to preserve Europe's position as a top tourist destination, maximize the industry's contribution to growth and employment, and foster collaboration among EU countries (European Parliament, n.d.). Initiatives like DiscoverEU promote cultural exploration, while efforts to protect geographical indications for non-agricultural products boost regional economies and tourism (European Parliament, n.d.). The EU also facilitates data collection and sharing related to short-term accommodation rental services, focusing on responsible, transparent, and fair growth in short-term rentals to balance tourism with quality of life for residents (European Parliament, n.d.). These broader policies provide the context for specific regulations and their enforcement, aiming for a sustainable and well-regulated tourism ecosystem (European Economic Interest Grouping, 2012).

References

  1. A&L Goodbody. (2024). Fines on businesses which prevent trade between EU States never fall out of fashion. From A&L Goodbody: https://www.algoodbody.com/insights-publications/fines-on-businesses-which-prevent-trade-between-eu-states-never-fall-out-of-fashion
  2. Alston & Bird. (n.d.). European Enforcement Guide. s.l.: Alston & Bird.
  3. Clover, J. (2025). Apple's Latest App Store Changes Satisfy EU, No More Fines Coming. From MacRumors: https://www.macrumors.com/2025/07/22/app-store-eu-changes-accepted
  4. Enforcement Tracker. (n.d.). GDPR Enforcement Tracker. From Enforcement Tracker: https://www.enforcementtracker.com
  5. European Commission. (n.d.). About the Digital Markets Act. From European Commission: https://digital-markets-act.ec.europa.eu/about-dma_en
  6. European Commission. (n.d.). Anti-money laundering and countering the financing of terrorism at EU level. From European Commission: https://finance.ec.europa.eu/financial-crime/anti-money-laundering-and-countering-financing-terrorism-eu-level_en
  7. European Commission. (n.d.). Fines. From European Commission: https://competition-policy.ec.europa.eu/index/fines_en
  8. European Commission. (n.d.). Monitoring of free movement of capital. From European Commission: https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/enforcement-and-infringements-banking-and-finance-law/monitoring-free-movement-capital_en
  9. European Commission. (n.d.). Protection for tourists: Commission refers Ireland to the Court of Justice for failing to provide EU rules on package travel. From European Commission: http://europa.eu/rapid/press-release_IP-19-1478_nl.htm
  10. European Consumers Centre Network. (n.d.). Consumer Rights When Shopping or Travelling in Europe. From ECC Net: https://www.eccnet.eu/consumer-rights/consumer-rights-when-shopping-or-travelling-europe
  11. European Economic Interest Grouping. (2012). Hotels. From EEIG: http://www.european-economic-chamber-eeig.eu/documents/Standards/HOTELS.pdf
  12. European Parliament. (2014). Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU. Official Journal of the European Union, L(173), pp. 349-496.
  13. European Parliament. (n.d.). Tourism. From European Parliament: https://www.europarl.europa.eu/factsheets/en/sheet/126/tourism
  14. Eze Castle Integration. (n.d.). MiFID II Compliance and Regulations. From Eze Castle Integration: https://www.eci.com/compliance-knowledge-center/mifid-ii-compliance-and-regulations
  15. Financial Crime Academy. (2025). Unlocking Compliance Success: EU AML Legislation Demystified. From Financial Crime Academy: https://financialcrimeacademy.org/eu-aml-legislation
  16. Intersoft Consulting. (n.d.). GDPR Fines / Penalties. From GDPR Info: https://gdpr-info.eu/issues/fines-penalties
  17. Lee, S. (2025). EU Competition Law Penalties Guide. From Number Analytics: https://www.numberanalytics.com/blog/ultimate-guide-to-eu-competition-law-penalties
  18. Oro. (n.d.). GDPR penalties and fines: An introduction. From Thoropass: https://thoropass.com/blog/compliance/gdpr-penalties-and-fines-an-introduction
  19. Pinsent Masons. (2018). High fines and collective redress planned under EU consumer law reforms. From Pinsent Masons: https://www.pinsentmasons.com/out-law/news/businesses-eu-penalties-consumer-law-breaches
  20. Seattle University. (2022). The European Union’s Digital Services Act: A New Era for the Internet?. From Seattle University: https://www.seattleu.edu/business/news-events/pov/ethics-matter/posts/the-european-unions-digital-services-act-a-new-era-for-the-internet.php
  21. SkillCast. (2025). The Biggest Competition Law Fines: Annual Report. From SkillCast: https://www.skillcast.com/blog/biggest-competition-law-fines-annual-report
  22. Steel Eye. (n.d.). Financial Services Compliance. From Steel Eye: https://www.steel-eye.com/financial-services-compliance-guide
  23. Stripe. (2024). What is PSD2? Here’s what businesses need to know. From Stripe: https://stripe.com/resources/more/what-is-psd2-here-is-what-businesses-need-to-know
  24. Taylor Wessing. (2019). GDPR-level fines for breach of EU consumer protection law nears final approval. From Taylor Wessing: https://www.taylorwessing.com/zh-hant/insights-and-events/insights/2019/04/gdpr-level-fines-for-breach-of-eu-consumer-protection-law-nears-final-approval
  25. Windwehr, S. (2025). Enforcement of EU's Tech Laws Should Not Be Traded Away. From Tech Policy Press: https://www.techpolicy.press/enforcement-of-eus-tech-laws-should-not-be-traded-away
  26. Zulhusni, M. (2025). EU hits Apple and Meta with first fines under gatekeeper rules. From TechHQ: https://techhq.com/news/eu-hits-apple-and-meta-with-first-fines-under-new-big-tech-rules
  27. Haukeli, O. E., & Langseth, J. M. (2019). General principles of EU/EEA Competition law. From Simonsen Vogt Wiig: https://svw.no/artikler/general-principles-of-eu-eea-competition-law