It is clear that GDPR enforcement is increasing. Only recently, in 2023, the largest GDPR fine was issued, and in 2024, we are likely to see even bigger fines. Google has been fined €50 million by the French data protection authority for failing to provide transparency and consent under the GDPR. The German data protection authority also fined H&M €35 million for monitoring its employees unlawfully. In these cases, fines were given for violations of GDPR principles and regulations surrounding data protection and privacy. Here, we will discuss much bigger fines.
| Company | Fine | Date |
|---|---|---|
| Meta | €1.2 billion | May 2023 |
| Amazon | €746 Million | July 2021 |
| €405 million | September 2022 | |
| Meta Platforms | €390 million | January 2023 |
| TikTok | €345 million | September 2023 |
| Meta Platforms | €265 million | November 2022 |
| €225 million | September 2021 | |
| Google LLC | €90 million | December 2021 |
| Google Ireland | €60 million | December 2021 |
| Facebook Ireland | €60 million | December 2021 |
Biggest GDPR Fine
Meta Platforms Ireland Limited –
€1.2 billion GDPR Fine
Date: May 2023
Issued by: Irish Data Protection Commission (DPC)
Meta, Facebook’s parent company, now holds the largest GDPR fine in history.
Meta was fined €1.2 billion by the Irish supervisory authority on May 22, 2023, for transferring Facebook data collected from EU/EEA users to the US in violation of GDPR international transfer guidelines.
Meta failed to comply with the EU’s Schrems II decision from 2020, invalidating the EU-S Privacy Shield Framework, according to data privacy regulators.
Aside from the massive fine, Meta now has five months to comply with the corrections. Meta said it plans to appeal the decision, which likely will lead to a lengthy legal battle.
Biggest GDPR Fines – 2nd Place
Amazon – €746 Million GDPR Fine
Date:July 2021
Issued by: Luxembourg’s data protection authority (CNPD)
Amazon’s Luxembourg EU headquarters was hit with what was then the largest GDPR fine ever.
The fine is based on the claim that Amazon did not obtain valid consent for its personalised advertising and thereby violated the provisions of the GDPR (General Data Protection Regulation).
Biggest GDPR Fine – 3rd Place
Meta Platforms (Instagram) – €405 million GDPR Fine
Date: September 2022
Issued by: Irish Data Protection Commission (DPC)
In 2022, Ireland’s data protection authority fined the social media platform Instagram (Meta) for wrongfully processing children’s personal data.
Instagram violated federal law by making children’s accounts public by default, as well as disclosing their email addresses and phone numbers.
Meta Platforms Ireland Limited (Facebook & Instagram) – €390 million GDPR Fine
Date: January 2023
Issued by: Irish Data Protection Commission (DPC)
The Data Protection Commission of Ireland fined Facebook and Instagram for relying on a customer’s contact as their legal basis for most of their data processing.
Facebook was fined €210 million, and Instagram was fined €180 million.
TikTok GDPR fine- €345 million GDPR Fine
Date: September 2023
Issued by: Irish Data Protection Commission (DPC)
In connection with its handling of children’s accounts, TikTok has been fined €345 million for violating GDPR.
As a result of an investigation conducted by the Irish Data Protection Commission (DPC) between July 31 and December 31, 2020, particularly in the areas of young users, the DPC concluded its investigation in September 2023.
In the course of its investigation, the DPC examined a number of aspects, including platform settings, age verification, and communication with children. The DPC’s decision uncovered multiple GDPR breaches related to data processing, transparency, and fairness.
An administrative fine of €345 million was imposed on TikTok for these violations. The DPC issued a reprimand, instructed TikTok to rectify its data processing practices within three months, and imposed a reprimand for these violations.
Meta Platforms Ireland Limited – €265 million GDPR Fine
Date: November 2022
Issued by: Irish Data Protection Commission (DPC)
A fine of €265 million was imposed on Meta by the Irish Data Protection Authority on November 25, 2022. The DPA had investigated Meta in 2021 following media reports that Facebook’s data with personal data of users had been made publicly available.
Up to 533 million users had their personal data (phone numbers and email addresses) disclosed without their permission.
A DPA review and analysis of Facebook Search, Messenger Contact Importer, and Instagram Contact Importer was conducted. They found a breach of Art. 25 GDPR when assessing the implementation of organizational and technical measures aimed at protecting personal data.
WhatsApp – €225 million GDPR Fine
Date: September 2021
Issued by: Irish Data Protection Commission (DPC)
During a three-year investigation, the Data Privacy Commission (DPC) of Ireland issued a decision on 2 September 2021 to fine a Facebook-owned instant messaging and voice-over-IP service, WhatsApp Ireland, €225 million (or $267 million) for violating the GDPR.
The binding decision was issued after the European Data Protection Board (EDPB) intervened and instructed the DPC (lead supervisory authority for WhatsApp Ireland Ltd.) to reevaluate the originally proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.
Google LLC – €90 million GDPR Fine
Date: December 2021
Issued by: French Data Protection Authority (CNIL)
Google LLC was fined €90 million by CNIL for not allowing users to decline cookies as easily as they could accept them in France as of December 31, 2021.
Making refusal mechanisms more complex than they should be discourages users from refusing cookies and benefits companies whose main revenue streams are advertising and targeting.
By the end of three months, the CNIL ordered the companies to provide their users in France with the same simple method for refusing cookies as they currently have for accepting them, or face a fine of €100.000 euros per day the companies fail to comply.
GDPR doesn’t directly deal with cookies, but it defines how data controllers can obtain consent and thus counts as a fine under GDPR.
Google Ireland – €60 million GDPR Fine
Date: December 2021
Issued by: French Data Protection Authority (CNIL)
The €60 million fine to Google Ireland was issued by the CNIL on the same day as the abovementioned fine to Google LLC.
The smaller fine of 60 million euros was issued for the exact same reasons as the €90 million fine. However, this fine was issued concerning the google.fr search website.
Facebook Ireland- €60 million
Date: December 2021
Issued by: French Data Protection Authority (CNIL)
Facebook failed to provide mechanisms allowing its users to refuse cookies as easily as they can accept them.
The investigation, which started in April, uncovered that, as opposed to a single button to accept cookies, Facebook requires several clicks to refuse cookies.
In addition, the button to refuse cookies is located at the bottom of the second page and was labelled “Accept cookies,” which was confusing and misleading.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven SaaS platform for B2B trust where sellers can showcase & improve compliance and buyers can evaluate, manage and monitor them.