20 biggest GDPR fines so far [2023]

08/01/2023
in Blog, GDPR

The General Data Protection Regulation (GDPR) represents a determination of the EU legislators to unify data protection policies and laws throughout the EEU and enforce it with heavy penalties.

The data protection supervisory authorities across Europe have issued a total of €1.64bn in fines since 28 January 2022, and overall €2,34 bn issued in GDPR fines so far. A year-on-year increase in aggregate reported GDPR fines of 50%, while ad-tech and behavioral advertising were a top enforcement priority in 2022.

Fines issued to Amazon (€746 million) and numerous fines to Meta (€405 million, €390 million,…) hugely surpass what was the biggest fine for almost three years (Google €50 million).

20 biggest GDPR fines so far

Among EU member states, the highest individual GDPR fines were issued by Luxembourg, Ireland, France, Germany, Italy, and the UK.

1. Amazon GDPR fine – €746 million

On July 16, 2021, the Luxembourg National Commission for Data Protection (CNDP) issued the biggest fine ever for the violation of the GDPR in the amount of €746 million ($888 million) to Amazon.com Inc.

The fine was issued as a result of a complaint filed by 10,000 people against Amazon in May 2018 through a French privacy rights group that promotes and defends fundamental freedoms in the digital world- La Quadrature du Net.

The CNPD opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazon’s advertising targeting system that was carried out without proper consent.

Read the entire article: Luxembourg DPA issues €746 Million GDPR Fine to Amazon

2. Meta GDPR fine – €405 million

On September 5, 2022, Ireland’s Data Protection Commission issued a €405 million GDPR fine to Meta Ireland concerning the lawfulness of processing children’s personal data in accordance with the legal bases of performance of a contract and legitimate interest.

The DPCs’ investigation focused on teenagers between the ages of 13 and 17, the operation of Instagram business accounts, and how such accounts automatically displayed the contact information (email addresses and/or phone numbers) of children publicly.

According to DPC, Meta failed to take measures to provide child users with information using clear and plain language, lacked appropriate technical and organizational measures, and failed to conduct a Data Protection Impact Assessment where processing was likely to result in a high risk to the rights and freedoms of child users.

3. Meta GDPR fine – €390 million

On 4 January, Ireland’s Data Protection Commission (DPC) announced the conclusion of two inquiries against Meta Ireland and the decision to issue a €390 million fine in connection to its Facebook and Instagram services.

Meta changed the Terms of Service for its Facebook and Instagram users right before the GDPR was enforced, changing the legal basis from consent to contract for most of its processing activities.

Users were asked to accept new updated Terms of Services to access their Facebook and Instagram accounts; otherwise, the services would not be available to them.

Meta considered that, by accepting Terms of Services, users would enter into a contract with Meta, claiming that processing of personal data was necessary for the delivery of Facebook and Instagram services and performance of the contract, so any personalized and behavioral advertising would be considered in line with the GDPR.

However, two complainants contended that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta was, in fact, “forcing” them to consent.

Read the entire article: DPC fines META €390 million for violation of the GDPR

4. Meta GDPR fine – €265 million

On November 25, 2022, the Irish DPA fined Meta €265 million. The DPA had previously launched an investigation against Meta back in 2021 after several media reports indicated that Facebook’s dataset with personal information was made available on a public hacking platform.

This data leak affected up to 533 million users, disclosing their personal data (phone numbers and email addresses) to third parties without authorization.

The DPA reviewed and analyzed the Facebook Search, Messenger Contact Importer, and Instagram Contact Importer Tools. The DPA’s main goal was to assess the implementation of organizational and technical measures that would protect personal data, and they found a breach of Art. 25 GDPR.

Read the entire article: Ireland: DPC imposes €265 million fine on Meta

5. WhatsApp GDPR fine – €225 million

On 2 September 2021, Ireland’s data protection authority Data Privacy Commission (DPC), announced their decision to issue a GDPR fine to a Facebook-owned instant messaging and voice-over-IP service, WhatsApp Ireland €225 million (or $267 million) after a three-year investigation.

The binding decision was issued after the European Data Protection Board (EDPB) intervened and required the DPC (lead supervisory authority for WhatsApp Ireland Ltd.), to reassess the initially proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.

Read the entire article: GDPR fine: WhatsApp faces €225 million for transparency violation

6. Google LLC fine- €90 million

On December 31, 2021, the CNIL issued a €90 million fine to GOOGLE LLC over the inability to allow youtube users in France to refuse cookies as easily as they could accept them.

The CNIL concluded that making refusal mechanisms more complex than they should be, discourage users from refusing cookies and benefits a company that bases its main revenue streams on advertising and targeting based on cookies.

The CNIL ordered the companies to provide users located in France with a means of refusing cookies as simple as the existing means of accepting them within three months or pay the penalty of €100.000 euros per day of delay.

Cookie regulation, or the ePrivacy Directive, does not directly fall under the GDPR, but GDPR defines how data controllers can obtain consent and therefore counts as the GDPR fine.

Read the entire article in detail: CNIL fines Google and Facebook a total of €210 million over cookies

7. Google Ireland fine- €60 million

The €60 million fine issued to Google Ireland was issued by the CNIL on the same day as the abovementioned fine to Google LLC.

The smaller fine of 60 million euros was issued for the exact same reasons as the €90 million fine. However, this fine was issued in relation to the google.fr search website.

8. Facebook Ireland- €60 million

Facebook failed to provide mechanisms that would allow its users to refuse cookies as easily as they can accept them.

The investigation, which started in April, uncovered that, as opposed to a single button to accept cookies, Facebook requires several clicks to refuse cookies.

In addition, the button to refuse cookies is located at the bottom of the second page and was labeled “Accept cookies,” which was not only confusing but also misleading.

9. Google France GDPR fine – €50 million

On January 21, 2019, the French National Commission on Informatics and Liberty (CNIL) fined Google €50 million fine for lack of transparency, inadequate information, and lack of valid consent regarding the ads personalization. The violation included infringements of Articles:

Information to be provided where personal data are collected from the data subject – Article 13,
Information to be provided where personal data have not been obtained from the data subject – Article 14,
The lawfulness of processing – Article 6,
Principles relating to the processing of personal data – Article 5

In May 2018, the National Data Protection Commission (CNIL) received group complaints from the association None Of Your Business (NOYB) and La Quadrature du Net (“LQDN”).

Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed.

10. H&M GDPR fine- €35.25 million

The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – H&M for the violation of the GDPR.

After a technical error, the data on the company’s network drive was accessible to everyone in the company for a few hours. The press picked up the news making the Commissioner aware of the violation.

The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process.

The personal data included medical records, including diagnoses and symptoms of the illness, and private details about vacation and family affairs.

Read the entire article here: H&M fined €35,3 Million for violation of the GDPR

11. TIM GDPR fine- €27.8 million

On January 15, 2020, the Italian DPA Garante issued a €27,8 million GDPR fine to Italian telecommunications operator TIM for an extensive list of violations.

TIM has contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal bases.

A few million individuals were affected by their aggressive marketing strategy. Violations included:

Improper management of consent lists
Excessive data retention
Data Breaches
Lack of proper consent
Violation of GDPR rights.

The personal information included name, surname, or company name; tax code or VAT number; telephone line; address; contact details.

12. Enel Energia GDPR fine – 26.5 million

On 19 January 2022, The Italian Data Protection Authority- Garante published its decision to impose a €26,5 million fine on Enel Energia regarding the unlawful processing of personal data for telemarketing purposes and violation of the accountability principle, among other violations.

Garante carried out an investigation following numerous complaints and reports regarding:

unsolicited marketing and promotional calls,
late or non-response to requests for the exercise of the right of access to personal data or opposition to processing for marketing purposes,
and various problems deriving from personal data management in the context of energy supply services, including the activities carried out through the company website and related apps.

Read an entire article: Italian Garante fines Enel Energia €26.5M for violation of the GDPR

13. British Airways GDPR fine – €22.4 million

In 2019, the ICO announced the intention to issue €204,6 million (£183.39 million) to British Airways for violation of GDPR (Article 32 and Art. 5 (1) f) ).

What was initially announced as the biggest GDPR fine ever issued ended up being reduced to £20 million, in light of the recent COVID-19 pandemic and its effect on the airline industry.

The incident occurred in July 2018 but was only discovered in September 2018. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.

According to the ICO official statement, “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”

The company had inadequate security mechanisms to prevent such cyber-attacks from happening.

The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.”

Read the entire article: British Airways fine for 2018 data breach reduced to £20 million

14. Marriott GDPR fine – €20.45 million

In July 2019, ICO issued an intent to fine Marriott International £99 million fine for infringements of the GDPR. The fine was related to the cyber attack, exposing personal data of over 339 million guest records.

Out of those 339 million individuals, 31 million were residents of the EEA.

Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group.

The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures.

On October 30, 2020, the ICO issued a penalty notice explaining its decision. After more than a year, there is finally a conclusion to the ICO investigation. The fine is settled from a massive £99 million to £18,4 million.

In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic.

15. Clearview AI fine- €20 million

On 20 October 2022, the French Data Protection Agency – CNIL, imposed a €20 million fine on Clearview AI over their facial recognition technology.

Following the formal notice that went unaddressed, the CNIL issued a maximal fine and ordered Clearview AI to cease all collection and usage of personal data on individuals in France without the proper legal basis and to delete the data already in use.

If fail to do so, Clearview AI could face additional penalties of €100,000 per day of delay two months after the decision.

Read the entire article: CNIL issues €20 million GDPR fine to Clearview AI

16. Clearview AI fine – €20 million

On 13 July 2022, Hellenic DPA fined Clearview AI €20 million for the violation of lawfulness and transparency principles (art. 5 paragraphs 1(a) and (2), 6, 9 GDPR) and its obligations under Articles 12, 14, 15 and 27 of the GDPR.

The DPA examined a complaint against Clearview AI, filed by the civil non-profit organization “Homo Digitalis” on behalf of a complainant, who claimed that s/he was not satisfied in relation to the right of access s/he exercised before the aforementioned company.

With the complaint at issue, it was also requested that the company be examined on the whole from the point of view of the protection of personal data.

The DPA ordered Clearview AI to comply while imposing a ban on the collection and processing of personal data of subjects located in the Greek territory, using methods included in the facial recognition service.

Finally, the DPA ordered Clearview AI Inc. to delete the personal data of those subjects located in Greece.

Read the entire article: Hellenic DPA fines Clearview AI 20 million euros

17. META GDPR fine: €17 million

On March 15, 2022, Ireland’s Data Protection Commission (DPC) announced a decision to impose a €17 million fine on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) for violation of the General Data Protection Regulation (GDPR).

The DPC examined how Meta complied with the GDPR requirements in relation to the processing of personal data relevant to the twelve breach notifications.

The investigation uncovered infringements of Article 5(2) and Article 24(1) GDPR, stating that Meta failed to implement appropriate technical and organizational measures to demonstrate security measures implemented to protect personal data of EU users regarding the reported personal data breaches.

Read the entire article: GDPR fine: Irish DPC imposes €17 million fine to Meta

18. Wind GDPR fine – €16.7 million

On July 13, 2020, the Italian DPA- Garante issued a €16,700,000 GDPR fine to telecommunication operator – Wind Tre S.p.A.

The fine was issued following complex investigations after numerous complaints from individuals. More than a hundred clients filed a complaint about unsolicited marketing activities conducted without proper consent via calls, fax, automated telephone calls, and SMS.

Also, several customers complained that they could not withdraw their consent or even object to the processing while their personal data was published in public directories.

The DPA investigation showed that the apps that were used (MyWind and My3) had been configured to require the user to consent, on each access, to processing for various purposes, including marketing, profiling, communication of data to third parties, data enrichment, and geolocation; however, the withdrawal of such consent was allowed only after 24 hours.

19. Vodafone Italia GDPR fine- €12.25 million

On November 12, 2020, the Italian data protection authority – Garante issued a €12.25 million GDPR fine to Vodafone Italia for the unlawful processing of personal data of millions of users for telemarketing purposes.

Garante conducted a complex investigation following numerous complaints about continuous unwanted telephone calls made by Vodafone and its sales network to promote their services.

The investigation unveiled an information storage system that had up to 4.5 million contacts, the list was purchased from external providers without proper consent. The violations affected Vodafone’s entire Italian customer base.

As the EDPB noted “The investigation brought to light major criticalities of a ‘structural’ nature having to do with the violation not only of consent requirements but also of key principles such as accountability and data protection by design as set forth in the EU GDPR. These criticalities could be traced down to the processing activities performed both in respect of Vodafone’s customer database and – more broadly – with regard to prospective users of electronic communications services.”

Read an entire article: Italian DPA issued a €12.25 million GDPR fine to Vodafone for aggressive telemarketing

20. Notebooksbilliger.de GDPR fine- €10.4 million

on January 8, 2021, German electronics retailer Notebooksbilliger.de received a €10.4 million GDPR fine for video monitoring employees for over two years without any legal basis, recording workplace, salesrooms, warehouses, and common areas.

Notebooksbilliger claimed that the reason behind the CCTV monitoring was theft prevention and criminal offenses investigation as well as tracking the flow of goods from the warehouse.

Two main objections of the LfD were that video monitoring was done without a proper legal basis and kept for significantly longer than necessary (60 days) in the time span of at least two years.

Read the entire article: 10.4 million Euro GDPR Fine to Notebooksbillinger for Video Surveillance

GDPR fines so far -conclusion

This is the up-to-date and current list of the biggest GDPR fines so far, but the list is constantly changing, indicating a lot of activities from data protection authorities. As the DLA Piper report states:

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime.”

2023 is likely to give rise to more data privacy laws and could prove to be a year of increased enforcement and greater penalties for violations of GDPR.

How can you become compliant faster?

Data Privacy Manager is a modular solution that tackles real day-to-day challenges and can help you with:

✅ Central management and connectivity with other systems
✅ Collaboration through all organizational units
✅ Automated data removal
✅ Managing compliant records of processing activities
✅ Risk-free third-party management

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.