Top 10 Biggest GDPR Fines in History (So Far)

Published on
20/02/2024 09:50 AM
Biggest GDPR fines

It’s been more than five years since the EU’s General Data Protection Regulation (GDPR) went into application, and the law remains a regulatory benchmark for today’s digital world. 

The regulation companies handle people's data, providing better protection for privacy while keeping sensitive information out of the hands of malicious actors. But while organizations big and small have changed the way they operate to adhere to the landmark law, many have also failed to adhere to its compliance requirements – leading to hefty penalties and fines as a result.

So far almost €4.5 billion has been dished out in GDPR fines and almost 2000 organizations have been forced to pay them over the past 5 years. 

And with the number of companies failing to comply increasing year by year, there’s no doubt that even bigger GDPR fines are already on the horizon. 

What is the GDPR?

The GDPR, or General Data Protection Regulation, is a regulation in the EU that sets guidelines for how the personal data of individuals within the EU is collected and processed. 

Enacted in 2018, it's considered one of the toughest privacy and security laws in the world, controlling how organizations handle people’s personal data and where they store it. 

This means companies must be transparent about their data collection practices, clearly outlining what data they collect, why they collect it, and for how long they retain it. They’re also forced to implement robust security measures to protect your data from unauthorized access, accidental loss, or breaches.

The GDPR doesn't shy away from holding organizations accountable if they don’t comply. Organizations are responsible for demonstrating compliance with its regulations, and failure to do so can result in significant fines, ranging up to 4% of global annual turnover or €20 million, whichever is higher.

This applies to any organization processing the personal data of individuals within the EU, regardless of the organization's location. Due to this global reach, any organization processing data of EU residents, regardless of its location, must comply with the regulation. This has created a global ripple effect, prompting stricter data protection laws and practices worldwide.

The GDPR is more than just a regulation; it's a cultural shift. It represents a recognition that personal data is not a commodity to be traded, but a fundamental right to be protected.

Key Obligations of the GDPR

ogligations gdpr fines

The GDPR imposes significant obligations on organizations handling personal data of EU residents, regardless of the organization's location. These obligations aim to protect individual privacy and ensure responsible data handling, and those who break them risk getting dished with large GDPR fines.

Here are some of the obligations of the GDPR:

1. Lawful Basis for Processing

Organizations must have a valid legal reason for collecting and using personal data. This could be consent, contractual necessity, vital interests, public interest, or legal obligations – as long as they can prove they are not simply collecting people’s personal data for profits. 

2. Transparency and Individual Rights

 Organizations must be transparent about data collection practices and inform individuals:

  • What data is collected and why
  • How the data will be used
  • The legal basis for processing
  • Individual rights under the GDPR
  • Contact details of the Data Protection Officer (DPO)

Individuals have a range of rights over their data too, including access, rectification, erasure (right to be forgotten), restriction of processing, objection, and data portability. Organizations must have procedures in place to facilitate these requests within specified timeframes.

3. Data Security

Organizations are responsible for implementing appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. This includes encryption, access controls, and regular security assessments.

In case of a personal data breach that poses a high risk to individuals' rights and freedoms, organizations must notify the relevant authorities and affected individuals within specific timeframes.

4. Data Protection Impact Assessments (DPIAs)

For high-risk processing activities, such as large-scale profiling or sensitive data usage, organizations must conduct DPIAs to identify and mitigate risks to individual rights.

They should also only collect and process the minimum amount of personal data necessary for their specific purposes. Thus means must not retain data longer than necessary and should have clear deletion policies in place.

5. Cross-border Data Transfers

If transferring personal data outside the EU, organizations must comply with additional GDPR rules to ensure adequate data protection safeguards. This includes using standard contractual clauses or relying on adequacy decisions from the European Commission.

6. Record-keeping

 Organizations must keep records of their data processing activities and be able to demonstrate their compliance with the GDPR to supervisory authorities. They are also accountable for any violations and may face significant fines for non-compliance.

7. Data Protection Officer (DPO)

 Certain organizations, such as public authorities and those processing data on a large scale, are required to appoint a DPO who oversees data protection compliance with GDPR. 

The DPO acts as an internal expert on data protection, advising the organization and ensuring compliance with the regulation.

8. Accountability and Enforcement 

Organizations face significant fines for non-compliance with the GDPR, ranging up to 4% of their global annual turnover or €20 million (whichever is higher).

Biggest GDPR Fines so far

Since the General Data Protection Regulation (GDPR) came into effect in 2018, it has become a powerful tool for enforcing data privacy and security. 

One way it does this is by issuing some of the biggest data protection fines to companies that violate its provisions. Here's a glimpse at some of the biggest GDPR fines issued so far.

Google Ireland (€50 million, January 2019)

In January 2019, CNIL slapped Google with a whopping €50 million fine due to its lacklustre data privacy policy. The issue stemmed from Google's data collection practices while setting up Android devices and creating a Google account.  When users set up their Android phones, CNIL found  Google's privacy policy to be unclear and complex and failing to properly explain how data would be collected and used for personalized advertising. The information presented during Google account creation was also considered insufficient, leaving users unaware of the extent to which their data would be processed and shared across different Google services.

As the forest multi-million GDPR fine at the time, the decision marked the first major penalty under the newly implemented GDPR. It sparked a global conversation about data privacy the need for stricter regulations and the implementation of privacy by design and default.  It also served as a warning to other tech companies, prompting them to review and adapt their data practices to comply with the GDPR.

Facebook Ireland (€60 million, December 2021)

The €60 million fine issued to Facebook Ireland in December 2023 is just one of many large GDPR fines issued to Meta on this list, but it still holds significance. On December 31, 2021, France’s National Commission on Informatics and Liberty (CNIL) fined Facebook Ireland Limited €60 million for making it too difficult for users to remove cookies from their platform. According to a filing by the data privacy watchdog, Facebook made it much easier for users to accept cookies used for personalized advertising than to reject them.

 It said that the platform’s  "Accept all" button to accept cookies was large and easy to click, while the "Manage data parameters" option was less visible and involved multiple steps to reject cookies. This violated the principle of "informed consent" under the GDPR, which requires offering users a clear and equally convenient way to accept or refuse cookies. The fine served as a warning to companies about the importance of user consent and transparency regarding cookies, while also emphasising the need for a balanced and user-friendly approach to cookie management, offering equal ease for acceptance and rejection.

Google LLC and Google Ireland Limited (150 million, December 2021)

On December 31, 2021, the French Data Protection Authority, CNIL, fined Google a total of €150 million for making it difficult for users on google.fr and YouTube to refuse or modify cookies. In June of that year, CNIL investigated the sites and found that the refusal mechanism was more complex than accepting cookies. The Restricted Committee judged that this discouraged users from refusing cookies and infringed on Article 82 of the French Data Protection Act. Google LLC and Google Ireland Limited were fined €90 million and €60 million, respectively. 

The crux of the case revolved around the design of Google's cookie banners on google.fr and youtube.com. CNIL found that they made it significantly easier for users to accept all cookies (used for personalized advertising) than to refuse them. These practices were deemed to infringe upon users' right to informed consent under Article 82 of the French Data Protection Act, which aligns with the GDPR. By making it easier to accept cookies than to refuse them, Google was arguably coercing users into consenting to data collection for personalized advertising.

WhatsApp Ireland (€225 million, December 2021)

In December 2021, the Irish Data Protection Commission (DPC) hit WhatsApp Ireland with a hefty €225 million fine due to alleged violations of transparency principles concerning how it informed users about its data-sharing practices with Meta. The DPC argued that WhatsApp's privacy policy lacked clarity about the extent of data shared with Meta, including the types of data, purposes of use, and potential onward transfers to third parties. It also believed that the consent mechanism for data sharing with Meta was deemed ambiguous, potentially leading to users unknowingly consenting to a broader scope of data sharing than intended.

While the €225 million fine primarily addressed past transparency issues, it sets a precedent for WhatsApp and other companies that store large amounts of user data. The case also raises broader questions about the complexities of data sharing within corporate groups and the challenges of ensuring transparency across different platforms and services.

Meta Platforms Ireland Ltd. (€265 million, June 2022)

In June 2022, Meta Platforms Ireland Limited, the operator of Facebook in the EU, was hit with a €265 million fine by the Irish Data Protection Commission (DPC). This penalty addressed concerns surrounding Meta's legal basis for processing user data, specifically relying on "legitimate interests" without sufficient justification.  The company had been investigated after data on more than 533 million users was discovered on a website for hackers, including users’ names, Facebook IDs, phone numbers, locations, birthdates, and email addresses from over 100 countries. Meta said this data was scraped from Facebook using tools designed to help users find their friends via phone numbers, therefore broadly classifying it as data for “legitimate interests" without specifying how users actually benefit from it. 

Under GDPR, organizations can process personal data based on various legal grounds, including consent and fulfilling contractual obligations. However, this justification requires careful consideration and cannot override individuals' fundamental rights and freedoms. In Meta’s case, the DPC’s investigation found that Meta was relying on "legitimate interests" for scraping conducted between May 2018 and September 2019, ultimately breaking GDPR restrictions. 

TikTok Technology Ltd. (€345 million, January 2023)

In January 2023, the DPC imposed a hefty €345 million fine on TikTok for alleged violations related to processing children's data without their consent. Accounts registered by users under 13 were set to public by default, exposing user information and content to anyone online and breaking GDPR data protection rules. Meanwhile, the "family pairing" feature allowed non-child users to connect with children's accounts, potentially leading to inappropriate interactions or exposure to harmful content and sensitive data. 

DPC’s investigation also found that TikTok collected and used the personal data of users under 13, which once again violated GDPR requirements for explicit parental consent. It also revealed that TikTok's privacy policies and information provided to users lacked clarity and age-appropriate language, making it difficult for children to understand how their data was being used.  The €345 million fine serves as a wake-up call for the industry. Platforms must prioritize children's privacy by design, implement robust age-verification mechanisms, and provide clear and transparent information to users. 

Meta Platforms Ireland Ltd. (€390 million, September 2023)

In January 2023, Meta was fined €390 million by the DPC for breaking GDPR rules due to the way it asked permission to use peoples' data for ads on Facebook and Instagram. This hefty fine, the largest GDPR fine ever issued to Meta at the time, targeted the way user data was collected and used for personalized advertising across both platforms. Meta relied on pre-checked boxes for users to agree to personalized ads. This "opt-out" approach was deemed to fall short of GDPR's requirement for "freely given, specific, informed and unambiguous consent." 

The investigation was sparked by complaints made in 2018 by privacy campaigner Max Schrems just like the GDPR. came into operation. In order to comply with GDPR both Facebook and Instagram asked users to click "I accept" to indicate that they agreed to updated terms of service setting out how their data would be used in ads. If users did not accept, they were unable to use Facebook or Instagram. The complainants argued that this meant Meta was forcing them to consent to their data being used in targeted ads, which breaches the GDPR. Meta attempted to justify the practice as necessary for fulfilling a contract with users, but the DPC ultimately rejected this argument, highlighting that personalized advertising wasn't essential for accessing the platforms.

3. Instagram (€405 million, Sep 2022)

In September 2023, Meta Platforms Ireland Limited was hit with a €405 million fine – its largest fine yet – for failing to protect children’s data on Instagram. The DPC revealed that Instagram had allowed users aged between 13 and 17 to operate business accounts on the platform, publicly revealing the users’ phone numbers and email addresses. It also found the platform had operated a user registration system where the accounts of 13-to-17-year-old users were set to “public” by default, which it alleged put their personal information at risk. 

As per the GDPR, Platforms must design features and practices that consider the specific needs and vulnerabilities of children. This includes features like privacy by design, as well as implementing age restrictions to prevent children from harm online. However the DPC believed  Meta failed to provide clear and age-appropriate protections, leading to some young users accidentally exposing their personal data without realising it. 

Amazon Europe (€746 million, Jul 2021):

In July 2021, the Luxembourg National Commission for Data Protection (CNPD) dropped a €746 million bombshell on Amazon by imposing the largest GDPR fine issued at the time. This monumental penalty stemmed from alleged violations of transparency principles related to personalized advertising and data use on Amazon platforms. The CNPD investigation found that Amazon's data processing practices for personalized advertising lacked transparency and clarity, falling short of GDPR's strict requirements. It also deemed that the process for users to consent to data use for personalized advertising was ambiguous and confusing, and its opt-in/opt-out options weren't presented clearly, so customers were being misled about how Amazon was using their data. 

As per the GDPR, Companies must offer transparent and straightforward information for users to understand and consent to data processing practices. Privacy policies and information about data use should be written in clear and concise language, and easily accessible to users. In Amazon’s case, however, its instructions were simply too complicated for people to understand. Users lacked granular control over how their data was used for personalized advertising, limiting their ability to make informed choices about their privacy. he hefty €746 million fine sent shockwaves through the tech world, highlighting the potential consequences of non-compliance with GDPR.

Meta (€1.2 billion, Jan 2023)

In January 2023, Meta Platforms Ireland Limited faced a landmark €1.2 billion fine from the Irish Data Protection Commission (DPC) for the way it transferred EU data to the US. This record-breaking penalty, which is the largest GDPR fine ever issued, stemmed from alleged violations of transparency principles related to personalized advertising and data use across both platforms. The DPC investigation revolved around Facebook and Instagram's practices of transferring user data from the EU to the United States for advertising purposes. The agency found that hat Meta's reliance on "standard contractual clauses" to justify data transfers was insufficient under GDPR due to concerns about US surveillance laws potentially overriding user privacy protections. It argued users supposedly weren't informed clearly and comprehensively about the potential risks and implications of their data being transferred to the US for advertising purposes, and the DPC. Users supposedly weren't informed clearly and comprehensively about the potential risks and implications of their data being transferred to the US for advertising purposes.

While Meta is still appealing the fine, the DPC's decision sets a significant precedent. It strengthens enforcement of GDPR and holds large tech companies accountable for ensuring transparency and user privacy in the context of personalized advertising and international data transfers. Companies must have a robust legal basis for transferring user data outside the EU, ensuring adequate safeguards and protections for user privacy. At the same time, users deserve meaningful control over their data, including granular options to manage and limit its use for specific purposes like personalized advertising, even after transfers outside the EU.