A commissioner at the Luxembourg data protection agency has defended the lack of fines for General Data Protection Regulator (GDPR) breaches in the country, where many multi-national businesses are based.

As the EU’s GDPR approaches its third anniversary in May, Luxembourg has yet to issue a single fine under the law and none are believed to be imminent.

Marc Lemmer, said he is more interested in altering attitudes than levying fines.

“The aim is not to have big sanctions: the aim is to have a change in culture,” he told the Politico news website.

The regulator had said the first fine would be issued in 2020. There were none, and Lemmer declined to say when there would be any.“Things are moving forward. It’s not that we are not active,” said Lemmer. He highlighted that audits looking into various companies’ compliance with GDPR, such as whether they have a data protection officer, are drawing to a close.

Luxembourg’s approach has drawn criticism from digital rights campaigners Access Now. “It is unacceptable that more than two years after the entry into application of the GDPR, we are still waiting on … Luxembourg to resolve any of its major cases,” said Estelle Masse, the group’s privacy lead. “Without enforcement, there will be no change in culture.”.

Though the DPA has yet to issue a final decision, its four commissioners have initiated 82 investigations and issued 235 corrective measures where it asks companies to comply with data protection rules.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox