20 biggest GDPR fines so far [2023] – Data Privacy Manager (2024)

The year 2023 witnessed a groundbreaking GDPR fine surpassing €1.2 billion to Meta (formerly known as Facebook). Of the top 20 GDPR fines recorded, seven were imposed on Meta or Meta-owned companies.

Astonishingly, this single fine alone comes close to eclipsing the combined total of all GDPR fines issued by January 28, 2022, which was approximately €1.64 billion.

Collectively, GDPR fines have now reached over €4 billion. These figures demonstrate the ongoing commitment to upholding data protection regulations and highlight the increasing financial consequences of non-compliance.

We will delve into the details of the 20 biggest GDPR fines, shedding light on the monumental penalties and providing insights into the evolving landscape of data protection enforcement.

In May 2023, in a groundbreaking decision in the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of €1.2 billion on US tech giant Meta.

This record-breaking fine was issued for transferring personal data of European users to the United States without adequate data protection mechanisms and serves as a significant milestone in data protection regulation.

Meta, the parent company of popular platforms like Instagram and WhatsApp, has been penalized for failing to comply with the European Union’s General Data Protection Regulation (GDPR). Still, this fine highly surpasses all other fines.

As Meta plans to appeal the decision, the outcome of this legal battle will have far-reaching implications, shaping the future of data transfers and privacy rights in the digital age.

This fine serves as a clear warning to other companies that the GDPR’s requirements must be taken seriously, and non-compliance can result in severe financial consequences

On July 16, 2021, the Luxembourg National Commission for Data Protection(CNDP) issued a finein the amount of €746 million ($888 million)toAmazon.com Inc.

The fine was issued due to a complaint filed by 10,000 people against Amazon in May 2018 through a French privacy rights group that promotes and defends fundamental freedoms in the digital world-La Quadrature du Net.

The CNPD opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazon’s advertising targeting system that was carried out without proper consent.

On September 5, 2022, Ireland’s Data Protection Commission (DPC) issued a €405 million GDPR fine to Meta Ireland concerning the lawfulness of processing children’s personal data following the legal bases of performance of a contract and legitimate interest.

The DPCs’ investigation focused on teenagers between the ages of 13 and 17, the operation of Instagram business accounts, and how such accounts automatically displayed children’s contact information (email addresses and/or phone numbers) publicly.

According to DPC, Meta failed to take measures to provide child users with information using clear and plain language, lacked appropriate technical and organizational measures, and failed to conduct a Data Protection Impact Assessment where processing was likely to result in a high risk to the rights and freedoms of child users.

On 4 January,Ireland’s Data Protection Commission (DPC)announced the conclusion of two inquiries against Meta Ireland and the decision to issuea €390 million finein connection to itsFacebook and Instagramservices.

Meta changed the Terms of Service for its Facebook and Instagram users right before the GDPR was enforced, changing the legal basis from consent to contract for most of its processing activities.

Users were asked to accept new updated Terms of Services to access their Facebook and Instagram accounts; otherwise, the services would not be available.

Meta considered that, by accepting Terms of Services, users would enter into a contract with Meta, claiming that processing of personal data was necessary for the delivery of Facebook and Instagram services and performance of the contract, so any personalized and behavioral advertising would be considered in line with the GDPR.

However, two complainants contended that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta was, in fact, “forcing” them to consent.

5. TikTok GDPR fine- €345 million

TikTok is facing a substantial fine of €345 million due to violations of GDPR, with a specific focus on its handling of children’s accounts.

The Irish Data Protection Commission (DPC) concluded its investigation in September 2023, examining TikTok’s data practices between July 31 and December 31, 2020, particularly concerning young users.

The inquiry assessed various aspects, including platform settings, age verification, and communication with child users. The DPC’s decision revealed multiple GDPR breaches related to data processing, transparency, and fairness.

To address these violations, the DPC issued a reprimand, instructed TikTok to rectify its data processing practices within three months, and imposed a significant administrative fine of €345 million.

Read the entire article: TikTok fined €345m for violation of GDPR

6. Meta GDPR fine – €265 million

On November 25, 2022, the Irish DPA fined Meta €265 million. The DPA had previously launched an investigation against Meta back in 2021 after several media reports indicated that Facebook’s dataset with personal information was made available on a public hacking platform.

This data leak affected up to 533 million users, disclosing their personal data (phone numbers and email addresses) to third parties without authorization.

The DPA reviewed and analyzed the Facebook Search, Messenger Contact Importer, and Instagram Contact Importer Tools. The DPA’s main goal was to assess the implementation of organizational and technical measures that would protect personal data, and they found a breach of Art. 25 GDPR.

Read the entire article: DPC imposes €265 million fine on Meta

7. WhatsApp GDPR fine – €225 million

On2 September 2021, Ireland’s data protection authority, theData Privacy Commission (DPC), announced their decision to issue a GDPR fine to a Facebook-owned instant messaging and voice-over-IP service,WhatsAppIreland€225 million (or $267 million)after a three-year investigation.

The binding decision was issued after theEuropean Data Protection Board (EDPB) intervened and required the DPC (lead supervisory authority for WhatsApp Ireland Ltd.), to reassess the initially proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.

Read the entire article: WhatsApp faces €225 million for transparency violation

8. Google LLC fine- €90 million

On December 31, 2021, CNIL issued a €90 million fine to GOOGLE LLC over the inability to allow YouTube users in France to refuse cookies as easily as they could accept them.

The CNIL concluded that making refusal mechanisms more complex than they should be, discourages users from refusing cookies and benefits a company that bases its main revenue streams on advertising and targeting based on cookies.

The CNIL ordered the companies to provide users located in France with a means of refusing cookies as simple as the existing means of accepting them within three months or pay the penalty of€100.000 euros per day of delay.

Cookie regulation, or the ePrivacy Directive, does not directly fall under the GDPR, but GDPR defines how data controllers can obtain consent and therefore counts as the GDPR fine.

Read the entire article: CNIL fines Google and Facebook a total of €210 million over cookies

9. Google Ireland fine- €60 million

The €60 million fine to Google Ireland was issued by the CNIL on the same day as the abovementioned fine to Google LLC.

The smaller fine of 60 million euros was issued for the exact same reasons as the €90 million fine. However, this fine was issued concerning the google.fr search website.

10. Facebook Ireland- €60 million

Facebook failed to provide mechanisms allowing its users to refuse cookies as easily as they can accept them.

The investigation, which started in April, uncovered that, as opposed to a single button to accept cookies, Facebook requires several clicks to refuse cookies.

In addition, the button to refuse cookies islocated at the bottom of the second page and was labeled “Accept cookies,” which was confusing and misleading.

11. Google France GDPR fine – €50 million

On January 21, 2019, the French National Commission on Informatics and Liberty (CNIL)fined Google a€50 million fine for lack of transparency, inadequate information, and valid consent regarding the ads personalization.

Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.

12. CRITEO fine -€40 million

On June 15, 2023, (CNIL) levied a substantial fine of €40 million against CRITEO, an online advertising company renowned for its expertise in behavioral retargeting. CRITEO failed to obtain proper consent, provide clear information, and enable user rights.

CNIL found multiple violations, including trackers without user consent, lack of transparency in privacy policy, incomplete access to personal data, inadequate consent withdrawal and data erasure procedures, and absence of joint controller agreements.

Read the entire article: CRITEO Fined €40 Million Over Targeted Advertising

13. H&M GDPR fine- €35.25 million

The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI)issued a€35,3 million fine to Swedish retail conglomerateHennes & Mauritz–H&M for violating the GDPR.

After a technical error, the data on the company’s network drive was accessible to everyone for a few hours. The press picked up the news making the Commissioner aware of the violation.

The case is pretty interesting since thecompany collected sensitive personal data of their employeesthrough whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.

The personal data included medical records, diagnoses and symptoms of the illness, and private details about vacation and family affairs.

Read the entire article:

14. TIM GDPR fine- €27.8 million

On January 15, 2020, the Italian DPA Garante issued a €27,8 million GDPR fine to Italian telecommunications operator TIM for an extensive list of violations.

TIM has contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.

A few million individuals were affected by their aggressive marketing strategy. Violations included:

Improper management of consent lists
Excessive data retention
Data Breaches
Lack of proper consent
Violation of GDPR rights.

The personal information included name, surname, or company name; tax code or VAT number; telephone line; address; and contact details.

Read the entire article:€27,8 million GDPR fine for Italian Telecom -TIM

15. British Airways GDPR fine – €22.4 million

In 2019, theICOannouncedthe intention to issue€204,6 million (£183.39 million) to British Airwaysfor violation of GDPR (Article 32 and Art. 5 (1) f)).

What was initially announced as the biggest GDPR fine ever issued ended up being reduced to£20 million in light of the COVID-19 pandemic and its effect on the airline industry.

The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.

According to the ICO official statement, “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”

The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”

Read the entire article: British Airways fine for 2018 data breach reduced to £20 million

16. Marriott GDPR fine – €20.45 million

In July 2019, ICO issued an intent to fine Marriott International £99 million for infringements of the GDPR.

The fine was related to the cyber attack, exposing personal data of over339 million guest records.

Out of those 339 million individuals, 31 million were residents of the EEA.

Marriott International exposed itself to the cyber-attack after acquiringthe Starwood Hotels group.

The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.

On October 30, 2020, the ICO issued a penalty notice explaining its decision. After over a year, the fine was settled from £99 million to £18,4 million.

In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the COVID-19 pandemic.

17. Clearview AI fine- €20 million

On 20 October 2022, theFrench Data Protection Agency –CNIL, imposed a€20 million fineon Clearview AI over their facial recognition technology.

Following the unaddressed formal notice, the CNIL issued a maximal fine and ordered Clearview AI to cease collecting and using personal data on individuals in France without the proper legal basis and to delete the data already in use.

If they fail to do so, Clearview AI could face additional penalties of €100,000 per day of delay two months after the decision.

Read the entire article: CNIL issues €20 million GDPR fine to Clearview AI

18. Clearview AI fine – €20 million

On 13 July 2022, Hellenic DPA fined Clearview AI €20 million for violating lawfulness and transparency principles and its obligations under Articles 12, 14, 15, and 27 of the GDPR.

The DPA examined a complaint against Clearview AI, filed by the civil non-profit organization “hom*o Digitalis,” on behalf of a complainant, who claimed that s/he was unsatisfied with the right of access s/he exercised before the aforementioned company.

With the complaint at issue, it was also requested that the company be examined on the whole from the point of view of protecting personal data.

The DPA ordered Clearview AI to comply while imposing a ban on collecting and processing personal data of subjects located in the Greek territory, using methods included in the facial recognition service.

Finally, the DPA ordered Clearview AI Inc. to delete the personal data of those subjects located in Greece.

Read the entire article: Hellenic DPA fines Clearview AI 20 million euros

19. Clearview AI fine- €20 million

On 2 October 2022, the Italian Data Protection Authority (Garante) imposed a hefty fine of €20 million on Clearview Al, a US-based company, for its non-compliance.

The company, which owns an extensive database containing over 10 billion facial images worldwide, was found to have engaged in biometric surveillance activities within Italy.

The DPA found unlawful processing of personal data without a legal basis and violations of GDPR principles, including transparency, purpose limitation, and storage limitation.

20. META GDPR fine: €17 million

OnMarch 15, 2022,Ireland’s Data Protection Commission (DPC) announced a decision to impose a€17 millionfine onMeta PlatformsIreland Limited (formerly Facebook Ireland Limited) for violation of theGeneral Data Protection Regulation (GDPR).

The DPC examined how Meta complied with the GDPR requirements in relation to the processing of personal data relevant to the twelve breach notifications.

The investigation uncovered infringements ofArticle 5(2)andArticle 24(1)GDPR, stating that Metafailed to implement appropriate technical and organizational measuresto demonstrate security measures implemented to protect personal data of EU users regarding the reported personal data breaches.

Read the entire article: GDPR fine: Irish DPC imposes €17 million fine to Meta

GDPR fines so far -conclusion

This is the up-to-date and current list of the biggest GDPR fines so far, but the list is constantly changing, indicating a lot of activities from data protection authorities. As the DLA Piper report states:

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”

2023 is likely to give rise to more data privacy laws and could prove to be a year of increased enforcement and greater penalties for violations of GDPR.

How to start your compliance journey

Data Privacy Manager consists of four products and 11 modules that tackle real day-to-day challenges and can help you with:

PERSONAL DATA DISCOVERY – AI-based solution designed to automate personal data discovery and classification across your systems in any language and script from structured and unstructured sources through machine learning and database connectivity, eliminating false positives and providing accurate insight into personal data.
PRIVACY PROGRAM AUTOMATION – Six modules (Data Processing Inventory (ROPA), Data Subject Requests, Third Party Management, Assessment Automation, Risk Management, and Incident Management) designed to automate privacy processes, support cross-departmental cooperation and minimize privacy-related risks.
CONSENT AND PREFERENCE MANAGEMENT – Manage consents in real-time and provide customers with easy and secure access to their data. It gives a clear overview of activities and enables you to keep records of consent in one central place. Real-time insight into the complete personal data lifecycle from the moment of opt-in to the data removal
DATA REMOVAL ORCHESTRATION – A clear and automated way to delete personal data that is no longer needed or is requested to be removed. Data Privacy Manager has paired up with filerskeepers to provide a privacy platform with instant access to data retention information across hundreds of countries worldwide.