The 10 Biggest GDPR Fines Ever (2023)
Facebook owner Meta was slapped with a €1.2 billion fine by Ireland’s Data Protection Commission this week – the biggest fine ever imposed under the EU General Data Protection Regulation (GDPR).
According to a BBC report, the fine was enforced due to Meta mishandling personal data when transferring it between Europe and the US.
Hicomply CEO, Ed Bartlett, said: “Compliant customer data management for businesses is now critical and expensive if you get it wrong, as evidenced by the recent Meta EU fine. Big tech is always in the firing line, as these companies take huge amounts of value from customers’ data. But it’s just not big tech we need to watch.
“Most businesses use in excess of 20 separate cloud hosted platforms. Each one of those should be following GDPR rules, requiring consent before using personal data even when transferred outside the UK or EU. However, the US has weaker privacy laws wherein US intelligence services can also access your data. We’ve seen Canadian firms buying UK-hosted solutions over US-based vendors for this very reason.
“UK firms should always check where their business data is hosted, as you could be inadvertently breaching GDPR with your customers’ data.”
There have been hundreds of fines imposed since GDPR legislation was introduced in 2018 – so the Hicomply team has looked at the ten biggest fines and the reasoning behind them.
Source: GDPR Enforcement Tracker
1. €1.2bn - Meta
In May 2023, the company received a hefty €1.2bn fine for mishandling data when transferring information between Europe and the United States.
The Data Protection Commission said of the company’s use of standard contractual clauses (SCCs) to move data to the US: “these arrangements did not address the risks to the fundamental rights and freedoms of data subjects.”
2. €746m - Amazon Europe Core S.à r.l.
Amazon received a €746m fine from the Luxembourg National Commission for Data Protection (CNPD) in 2021. The CNPD issued the fine after concluding that Amazon’s practices “did not comply with the EU General Data Protection Regulation.”
3. €405m - Meta Ireland (Instagram)
Meta subsidiary Instagram was fined €405m after the European Data Protection Board upheld the Data Protection Commission’s finding that the company had mishandled teenage users’ data.
The DPC found that Meta “had failed to implement technical and organisational measures to ensure that, by default, only personal data that was necessary for the relevant purpose of processing was collected. Particularly considering that the child users’ accounts were by default made visible to an indefinite number of natural persons, the IE SA found that the processing had infringed Article 5(1)(c) and Article 25(2) GDPR.”
4. €390m - Meta Ireland (Facebook and Instagram)
Meta Ireland again came under fire and received the combined €390m fine after complaints were made about its updated terms of service when GDPR came into effect on 25 May 2018. The DPC investigation stated: “Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.”
5. €265m - Meta Ireland (Facebook)
In November 2022, Meta Ireland received the €265m fine from the DPC after Facebook’s compliance with GDPR data protection by design and default principles were called into question. The DPC found infringements of Articles 25(1) and 25(2) GDPR and issued the fine, as well as ordering remedial actions to bring the organisation’s processing into compliance.
6. €225m - WhatsApp Ireland
Another Meta subsidiary, WhatsApp Ireland, was fined in 2021 after a DPC investigation into the company’s provision of information and the transparency of that information to both users and non-users of WhatsApp’s service, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
The company was fined €225m and ordered to bring its processing into compliance by taking a range of specified remedial actions.
7. €90m - Google
Tech giant Google was fined in 2021 by France’s Commission nationale de l'informatique et des libertés (CNIL). The commission found that on the Google.fr and YouTube.com sites, “while they offer a button to immediately accept cookies, the sites do not put in place an equivalent solution (button or other) to allow the Internet user to easily refuse the deposit of cookies. Several clicks are necessary to refuse all cookies, against only one to accept them.”
This was found to be in contravention of Article 82 of GDPR, and the company was fined €90m.
8. €60m - Facebook Ireland
CNIL also fined Facebook Ireland for the procedure for refusing cookies on Facebook.com, stating: “while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) to allow the user to so easily refuse the deposit of cookies. Several clicks are necessary to refuse all cookies, against only one to accept them. The CNIL has also noted that the button to refuse cookies is located at the bottom of the second window and is entitled "Accept cookies.”
The company was levied a €60m fine for the violation of Article 82 of GDPR.
9. €60m - Google Ireland
At the same time as Google received its €90m fine from CNIL, Google Ireland was also fined for contravention of Article 82 of GDPR, “since it is not as simple to refuse cookies as to accept them.”
The company received a €60m fine, which the CNIL stated was justified the number of people concerned and the considerable profits that the companies derived from the advertising revenue indirectly generated from the data collected by the cookies.
10. €50m - Google
Google was also fined €50m in 2019 after CNIL’s Restricted Committee found that the company violated the obligations of transparency and information, including that the information provided by Google was not easily accessible for users, some information was not always clear or comprehensive, and users’ consent was not sufficiently informed. The committee concluded that user consent was neither specific nor unambiguous.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.