GDPR Enforcement Against Non-EU Companies: Who Actually Gets Fined

Clearview AI has been fined more than €100 million by European regulators. It has no office in the EU, no staff in the EU, and to this day it has not paid a cent. If you run a company outside the EU, that single sentence should make you curious about exactly how this works, because the lesson hiding inside it is not the one most people take away.

The short version: EU regulators absolutely do fine companies based outside the EU, and the GDPR is built to make that possible. Enforcement follows the data, not your mailing address. A missing Article 27 representative rarely produces the headline fine by itself, but it is the first red flag an investigator sees, and it quietly removes the one EU contact point that could have stopped a complaint from snowballing. Here is what the record actually shows.

The €100 million company with no European address

Clearview AI is a US facial-recognition company that scraped billions of photos from the public web, including from people across Europe who never heard of it. Four separate authorities decided that was a problem. France fined it €20 million. Greece fined it €20 million. Italy fined it €20 million. The Netherlands went further with €30 million. Add it up and you are well past €100 million, all aimed at a company that argues it has no EU presence and therefore cannot be touched.

The interesting part is that Clearview has mostly gotten away with not paying, at least so far. It holds no assets in Europe, sells nothing in Europe, and has bet that regulators cannot reach across the Atlantic to collect. Privacy groups have since filed criminal complaints to change that calculus, but the standoff is real.

The standoff is also getting personal. When the Dutch authority issued its €30.5 million fine in September 2024, it attached a further penalty of up to €5.1 million for continued non-compliance and said openly that it was investigating whether Clearview's directors could be held personally liable. Hiding behind a corporate shell on another continent works until regulators start addressing the people inside it.

So if a company can rack up nine-figure fines and shrug them off, why should any non-EU business care? That is exactly the wrong lesson to learn, and it is worth being precise about why.

Why "they cannot collect" is a trap for normal businesses

Clearview is a genuine outlier. It has no customers in the EU, no revenue in the EU, no bank accounts in the EU, and no intention of ever having them. It has nothing to lose by being banned from a market it never wanted.

Your company is almost certainly the opposite. If you are reading this, you probably sell to European customers, process their payments, run analytics on European visitors, or plan to grow into the European market. The moment you have something in the EU worth protecting, the regulator's leverage changes completely:

• Fines can be enforced against EU revenue, EU subsidiaries, and EU bank relationships.
• Payment processors, app stores, and B2B partners increasingly ask for proof of GDPR compliance before they work with you.
• A public enforcement decision is searchable forever and lands in front of every prospect doing due diligence on you.
• Supervisory authorities can order you to stop processing EU data, which for many businesses is the same as being shut out of the market.

Clearview can ignore a ban because it does not want the market. You cannot ignore a ban on the market you are trying to sell into. That is the whole difference, and it is why "some companies dodge the fines" is a story about Clearview, not about you.

How the GDPR reaches across borders in the first place

None of this works without Article 3(2), the part of the GDPR that makes it extraterritorial. The rule is simple: if you offer goods or services to people in the EU, or you monitor their behaviour, the GDPR applies to you no matter where your company sits. A server in Ohio and a founder in Singapore do not put you outside the regulation. The data does the deciding.

This is not theoretical. The largest GDPR fines on record include companies headquartered outside the EU, and the meta-point is consistent across regulators: they treat "we are not based in Europe" as irrelevant. As of early 2026, authorities have issued roughly 2,685 fines totalling around €6 billion, and 2025 alone added more than €1 billion. The trend line for enforcement against foreign companies points up, not down.

Geography offers no shelter either. The same extraterritorial logic has been applied to companies in Canada, the United States and beyond, and the EU's cooperation machinery means a complaint filed in one member state can surface in any of the twenty-seven. For a US company the practical translation is simple: the question is not whether European law can reach you, but whether anyone in Europe currently has a reason to look.

Where the EU representative actually fits

Here is the part most articles get wrong, so let us be accurate. Failing to appoint an EU representative under Article 27 is not usually the violation that generates a giant fine. It sits in the lower penalty tier, capped at €10 million or 2% of global annual turnover, and it rarely appears as a standalone charge.

What it does is worse in a quiet way. The representative is the official EU contact point for regulators and for the individuals whose data you hold. When someone files a complaint or an authority opens a question, the first thing they look for is that contact point. If it is missing, two things happen at once. First, you have committed a clear, easy-to-prove violation that gets stacked onto everything else they find. Second, you have no one inside the EU to receive the notice, manage the response, or de-escalate the situation before it becomes a formal case. A complaint that a representative could have closed in a week becomes an investigation instead.

The missing representative is rarely the fire. It is the unlocked door that lets the fire spread.

The first fine that was only about the representative

For years the safest claim in GDPR commentary was that nobody gets fined just for skipping Article 27. Then the Dutch authority did exactly that. In May 2021 it fined LocateFamily.com €525,000, a Canadian website that published names, addresses and phone numbers of people worldwide, including Europeans who had never heard of it. The decision did not hinge on a breach or a denied deletion request. The charge was the missing EU representative itself: people who wanted their data removed had no one in the Union to send the request to.

Two details make the case worth remembering. First, the amount was not symbolic. Under the Dutch fining guidelines a missing representative carries a base fine of €525,000, which tells you how seriously regulators grade the violation. Second, the authority attached a remediation order: appoint a representative within twelve weeks or pay another €20,000 for every two weeks of delay, up to €120,000 on top. The message was not subtle. The representative is not paperwork that regulators forgive when the rest looks tidy. It is the doorway through which every other right is exercised, and a company that removes the doorway gets fined for the doorway.

What this means if you sell into Europe

Strip away the drama and the practical picture is calm and manageable:

1. Check whether Article 27 applies to you. If you are a non-EU company offering goods or services to people in the EU, or monitoring their behaviour, and your processing is not genuinely occasional and low-risk, you need a representative. Most companies with real EU traffic do.
2. Appoint a representative before a complaint forces the question. It is a low-tier obligation that is trivially easy to fix in advance and conspicuously embarrassing to fix after a regulator points it out.
3. Treat it as the floor, not the ceiling. A representative is one piece. It works best alongside a clear privacy notice, a lawful basis for what you do, and a way to handle data subject requests.

The companies that get burned are almost never the ones that asked "do I need this?" early. They are the ones who assumed distance was protection, found out it was not, and had no EU contact point to catch the first complaint.

A practical note on timing: the right moment to fix this is before your next growth push, not after. New campaigns, new markets and new funding rounds all raise your visibility, and visibility is what turns a quiet gap into a found one. Appointing a representative takes minutes; explaining to a regulator why you did not takes considerably longer. It also reads well in the other direction: naming your EU representative in your privacy notice is one of the few compliance signals that is publicly visible to customers, partners and regulators alike, which makes it disproportionately good value for a single appointment.

If you are not sure whether Article 27 applies to your situation, the fastest way to find out is to run the free compliance checker, which walks through the same questions a regulator would in about a minute. For the full picture of what a representative does and what it costs, the EU representative guide covers it end to end.

Distance from Europe was never a legal strategy. Clearview is proving that the hard way, and it is the one company that can almost afford to. For everyone else who actually wants European customers, the math is simpler: appoint a representative, keep the door locked, and stay off the enforcement tracker entirely.

Frequently asked questions

Can the EU actually fine a company that has no office in Europe?

Is a missing EU representative enough to get fined on its own?

If some companies just ignore the fines, why bother complying?