10 Biggest GDPR Fines (Until 2025)
It is clear that GDPR enforcement is increasing. Only recently, in 2024, the largest GDPR fine was issued, and in 2025, we are likely to see even bigger fines. Google has been fined €50 million by the French data protection authority for failing to provide transparency and consent under the GDPR. The German data protection authority also fined H&M €35 million for monitoring its employees unlawfully. In these cases, fines were given for violations of GDPR principles and regulations surrounding data protection and privacy. Here, we will discuss much bigger fines.
| Company | Fine | Date |
|---|---|---|
| Meta | €1.2 billion | May 2023 |
| Amazon | €746 Million | July 2021 |
| €405 million | September 2022 | |
| Meta Platforms | €390 million | January 2023 |
| TikTok | €345 million | September 2023 |
| €310 million | October 2024 | |
| Uber Technologies Inc., Uber B.V. | €290 million | July 2024 |
| Meta Platforms | €265 million | November 2022 |
| Meta Platforms | €251 million | December 2024 |
| €225 million | September 2021 | |
| Meta Platforms | €91 million | September 2024 |
| Google LLC | €90 million | December 2021 |
Biggest GDPR Fine
Meta Platforms Ireland Limited –
€1.2 billion GDPR Fine
Date: May 2023
Issued by: Irish Data Protection Commission (DPC)
Meta, Facebook’s parent company, now holds the largest GDPR fine in history.
Meta was fined €1.2 billion by the Irish supervisory authority on May 22, 2023, for transferring Facebook data collected from EU/EEA users to the US in violation of GDPR international transfer guidelines.
Meta failed to comply with the EU’s Schrems II decision from 2020, invalidating the EU-S Privacy Shield Framework, according to data privacy regulators.
Aside from the massive fine, Meta now has five months to comply with the corrections. Meta said it plans to appeal the decision, which likely will lead to a lengthy legal battle.
Biggest GDPR Fines – 2nd Place
Amazon – €746 Million GDPR Fine
Date:July 2021
Issued by: Luxembourg’s data protection authority (CNPD)
Amazon’s Luxembourg EU headquarters was hit with what was then the largest GDPR fine ever.
The fine is based on the claim that Amazon did not obtain valid consent for its personalised advertising and thereby violated the provisions of the GDPR (General Data Protection Regulation).
Biggest GDPR Fine – 3rd Place
Meta Platforms (Instagram) – €405 million GDPR Fine
Date: September 2022
Issued by: Irish Data Protection Commission (DPC)
In 2022, Ireland’s data protection authority fined the social media platform Instagram (Meta) for wrongfully processing children’s personal data.
Instagram violated federal law by making children’s accounts public by default, as well as disclosing their email addresses and phone numbers.
Meta Platforms Ireland Limited (Facebook & Instagram) – €390 million GDPR Fine
Date: January 2023
Issued by: Irish Data Protection Commission (DPC)
The Data Protection Commission of Ireland fined Facebook and Instagram for relying on a customer’s contact as their legal basis for most of their data processing.
Facebook was fined €210 million, and Instagram was fined €180 million.
TikTok GDPR fine- €345 million GDPR Fine
Date: September 2023
Issued by: Irish Data Protection Commission (DPC)
In connection with its handling of children’s accounts, TikTok has been fined €345 million for violating GDPR.
As a result of an investigation conducted by the Irish Data Protection Commission (DPC) between July 31 and December 31, 2020, particularly in the areas of young users, the DPC concluded its investigation in September 2023.
In the course of its investigation, the DPC examined a number of aspects, including platform settings, age verification, and communication with children. The DPC’s decision uncovered multiple GDPR breaches related to data processing, transparency, and fairness.
An administrative fine of €345 million was imposed on TikTok for these violations. The DPC issued a reprimand, instructed TikTok to rectify its data processing practices within three months, and imposed a reprimand for these violations.
LinkedIn GDPR fine- €310 million GDPR Fine
Date: October 2024
Issued by: Irish Data Protection Commission (DPC)
LinkedIn Ireland has been hit with a massive €310 million fine by the Irish Data Protection Commission (DPC) in October 2024 for mishandling user data. The investigation, sparked by a French complaint, found that LinkedIn illegally processed personal data for targeted advertising and behavioral analysis. The DPC determined LinkedIn failed to obtain proper user consent, didn’t have legitimate business interests that outweighed user privacy rights, and couldn’t justify the data processing as necessary for contracts. The commission also found LinkedIn wasn’t transparent enough about how it was using people’s data. Along with the fine, LinkedIn received a reprimand and must change its data processing practices to comply with GDPR regulations.
Uber GDPR fine- €310 million GDPR Fine
Date: August 2024
Issued by: Dutch DPA
In August 2024, the Dutch Data Protection Authority (DPA) slapped Uber with a €290 million fine for improperly transferring European taxi drivers’ personal data to its US servers. The issue came to light after 170 French drivers complained through a human rights group. According to the DPA, Uber failed to provide adequate protection for sensitive information including drivers’ licenses, location data, photos, payment details, and even criminal and medical records. The violation lasted over two years, during which Uber operated without proper data transfer tools after the EU-US Privacy Shield was invalidated in 2020. This marks Uber’s third fine from the Dutch DPA, following previous penalties of €600,000 in 2018 and €10 million in 2023. Uber has stated it plans to challenge the latest fine.
Meta Platforms Ireland Limited – €265 million GDPR Fine
Date: November 2022
Issued by: Irish Data Protection Commission (DPC)
A fine of €265 million was imposed on Meta by the Irish Data Protection Authority on November 25, 2022. The DPA had investigated Meta in 2021 following media reports that Facebook’s data with personal data of users had been made publicly available.
Up to 533 million users had their personal data (phone numbers and email addresses) disclosed without their permission.
A DPA review and analysis of Facebook Search, Messenger Contact Importer, and Instagram Contact Importer was conducted. They found a breach of Art. 25 GDPR when assessing the implementation of organizational and technical measures aimed at protecting personal data.
Meta Platforms Ireland Limited – €251 million GDPR Fine
Date: December 2024
Issued by: Irish Data Protection Commission (DPC)
Meta (Facebook’s parent company) has been fined €251 million by the Irish Data Protection Commission in December 2024 for a massive data breach that occurred in 2018. The breach affected 29 million Facebook accounts globally, including 3 million in the EU/EEA, exposing sensitive user data like names, emails, phone numbers, religious beliefs, and even children’s personal data. The breach happened when unauthorized parties exploited user tokens on Facebook. The fine breaks down into two main decisions: €11 million for failing to properly report and document the breach, and €240 million for not having adequate data protection measures built into their systems. The commission emphasized how serious this breach was, given that Facebook profiles often contain sensitive personal information that users only want to share selectively.
WhatsApp – €225 million GDPR Fine
Date: September 2021
Issued by: Irish Data Protection Commission (DPC)
During a three-year investigation, the Data Privacy Commission (DPC) of Ireland issued a decision on 2 September 2021 to fine a Facebook-owned instant messaging and voice-over-IP service, WhatsApp Ireland, €225 million (or $267 million) for violating the GDPR.
The binding decision was issued after the European Data Protection Board (EDPB) intervened and instructed the DPC (lead supervisory authority for WhatsApp Ireland Ltd.) to reevaluate the originally proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.
Meta Platforms Ireland Limited – €91 million GDPR Fine
Date: September 2024
Issued by: Irish Data Protection Commission (DPC)
Meta Ireland has been hit with a €91 million fine by the Irish Data Protection Commission in September 2024 for storing user passwords in plaintext format (without encryption) on their internal systems. The investigation, which began in April 2019, found that Meta violated multiple GDPR provisions by failing to properly protect user passwords, not notifying authorities of the data breach, and not documenting the breach properly. The decision included both the fine and a formal reprimand, highlighting significant security failings in Meta’s password storage practices.
Google LLC – €90 million GDPR Fine
Date: December 2021
Issued by: French Data Protection Authority (CNIL)
Google LLC was fined €90 million by CNIL for not allowing users to decline cookies as easily as they could accept them in France as of December 31, 2021.
Making refusal mechanisms more complex than they should be discourages users from refusing cookies and benefits companies whose main revenue streams are advertising and targeting.
By the end of three months, the CNIL ordered the companies to provide their users in France with the same simple method for refusing cookies as they currently have for accepting them, or face a fine of €100.000 euros per day the companies fail to comply.
GDPR doesn’t directly deal with cookies, but it defines how data controllers can obtain consent and thus counts as a fine under GDPR.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.