The financial penalties for breaching the GDPR can be staggering, running into hundreds of millions of euro.
by Niall McCarthy |Updated: 16.01.2024| 5 min
Europe’s General Data Protection Regulation (GDPR) contains hundreds of pages’ worth of requirements and it is considered one of the toughest privacy and security laws globally. In effect since May 25, 2018, the regulation imposes obligations on organisations anywhere in the world as long as they target or collect data related to people in the EU.
The scale and complexity of the GDPR has turned it into a daunting prospect for compliance departments, though the availability of state-of-the art integrated compliance management platforms has helped ease the burden.
Nevertheless, breaches are serious and fines regularly run into hundreds of millions of euro with a record penalty smashing the billion threshold last year. This article looks back at the biggest fines of 2023.
1. Meta – €1.2 billion (Ireland)
In May 2023, Ireland’s Data Protection Commission imposed a record $1.2 billion fine on Facebook owner Meta. The mammoth penalty related to the transfer of European Facebook user data to the United States without sufficient protection from Washington’s intelligence agencies. Meta was also ordered to suspend the transfer of user data between the EU and the US within six months. Andrea Jelinek, Chair of the European Data Protection Board, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
2. Meta – €390 million (Ireland)
The Irish Data Protection Commission also slapped Meta with the second-highest penalty of 2023 when two fines were imposed on the company adding up to a collective €390 million. The decision was announced on 4 January 2023 with a €210 million fine relating to GDPR breaches by Facebook and a further €180 million penalty due to breaches by Instagram. Whereas Meta used to rely on users providing their informed consent to be served with personalised and behavioural advertisem*nts, it later added a clause whereby users were effectively forced to agree that their data could be used, leading to the January 2023 fine.
3. TikTok – €345 million (Ireland)
Irish regulators fined TikTok €345 million after an investigation found that the platform improperly processed children’s data. It examined the age verification aspect of the registration phase and the processing of children’s personal data between 31 July and 31 December 2020. The investigation found that videos posted to children’s user accounts were public by default while comments were also enabled by default. The Chinese-owned-platform said that it “respectfully disagreed” with the scale of the fine imposed.
4. Criteo – €40 million (France)
French advertising technology company Criteo was fined €40 million by France’s Data Protection Authority (CNIL) for GDPR breaches related to targeted advertising. CNIL stated that it found fine GDPR infringements after the company used tracking and data processing techniques to profile internet users for more specific ads. Criteo argued that this “behavioral retargeting” was not deliberate and that the fine was disproportionate compared to the penalties handed out to US tech companies. This resulted in CNIL reducing the initial sum by a third.
5. TikTok – €14.5 million (UK)
The UK’s Information Commissioner’s Office fined TikTok €14.5 million for failing to comply with data protection principles under the GDPR after allowed children under the age of 13 were allowed to create accounts on the platform. This was in violation of the GDPR’s requirement for organisations to obtain parental consent for the collection and processing of data from children under 13 yeas of age. In addition to a lack of adequate measures to prevent children from accessing the platform, TikTok also failed to provide information to children about how their data would be collected and processed.
6. Axpo Italia Spa – €10 million (Italy)
Garante, the Italian Data Protection Authority, imposed a €10 million fine on Axpo Italia in late September 2023. The producer and trader of renewable energy products was penalized for processing outdated and inaccurate customer data, violating Articles 5(1)(a), 5(1)(d), 5(2), and 24 of the GDPR. It was found that Axpo acquired new electricity and gas contracts through a network of sales agents and sub-agents without having appropriate procedures in place to ensure the data corresponded to the actual users. On top of the fine, Garante ordered Axpo to adopt a series of corrective measures.
7. Tim S.p.A. – €7.6 million (Italy)
Italy also saw another considerable fine for multiple GDPR breaches in April 2023 when Garante penalized TIM S.p.A. to the tune of €7.6 million. An investigation was launched after complaints were received from multiple individuals alleging that the company’s telemarketing activities were unlawful. These included a failure to address data subject rights requests, a lack of documentation to demonstrate recipients’ consent to commercial communications as well as non-compliance with the information provision obligations under the GDPR. As a result, Articles 5(2), 6, 7, 12(2), 12(3), 13, 14, 15(1), 24, and 32(1)(b) of the GDPR were breached.
8. WhatsApp – €5.5 million (Ireland)
WhatsApp was handed a €5.5 million fine by Ireland’s Data Protection Commission at the start of the year. The penalty was imposed after an individual complained about how the app asked users to agree to its updated terms of service when the GDPR came into effect. If they declined, they would no longer be able to access the service and the individual in question argued that users were being “forced” to consent to the processing of their personal data. While the fine was described as “administrative” and low in comparison to other financial penalties imposed on Meta’s services, WhatsApp nevertheless signalled that it would appeal the decision. Ireland’s regulator fined WhatsApp €225 million for transparency beaches in a previous case.
9. EOS Matrix – €5.5 million (Croatia)
In October 2023, Croatia’s data protection regulator announced that it imposed a €5.47 million fine on debt collection agency EOS Matrix for significant GDPR breaches. Action was taken after an anonymous petition alleged that EOS Matrix unlawfully processed the personal data of 181,641 individuals with outstanding debts with credit institutions. Among the GDPR breaches, it was found that EOS Matrix processed the data of individuals without a legal basis, failed to implement appropriate technical measuresto protect personal data and failed to inform data subjects about their data being processed.
10. Clearview AI – €5.2 million (France)
Clearview AI added to its tally of serious GDPR breaches in 2022 with an additional €5.2 million fine in May 2023. CNIL, France’s data protection authority, levied a €20 million fine on the US company in October 2022, ordering it to cease the collection and processing of data on individuals located in France without any legal basis. It was given two months to comply and was threatened with further penalties if it failed to do so, costing €100,000 per overdue day. Clearview AI did not send any proof of compliance within the time limit, resulting in the €5.2 million fine being imposed. So far, the company has also been penalised by data protection authorities in the UK, Italy and Greece to the tune of tens of millions of euros. It remains unclear if these fines will ever be paid given the company’s persistent lack of cooperation with European regulators.
In summary
GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher.
Both the uptick in violations and mammoth fines levied in recent years highlight a growing lack of consent and transparency. Despite that worrying trend, it has been reassuring to see European regulators actively enforcing the law and imposing fines at a rate never seen before. Before 2021, the largest fine on record was levied in 2019 when Google was penalised €50 million for how it communicated privacy to its users as well as various data processing offences.
By 2021, financial penalties had increased significantly and Amazon was fined a then record €746 million. It only seemed a matter of time until the billion-euro barrier was broken and Meta set the next unwelcome record with its astronomical fine in 2023. It will be interesting to see if that penalty will be topped in 2024.
Browse the full list of GDPR violations
Building an effective anti-bribery and corruption programme
Key principles of establishing an effective ABC programme
Download now
Niall McCarthy
Niall is a Content Writer at the EQS Group. Originally from Ireland, he previously worked as a journalist, which included reporting on major corruption trends worldwide.
Contact
