The Biggest GDPR Fines EVER...(so far)

The biggest GDPR fines (so far)...

When you take into consideration that a non-compliant entity could be fined up to 20 million Euros, or 4% of their annual global turnover of the previous year, the stakes are high.

GDPR fine tracking site, Enforcement Tracker is like the GDPR naughty list.

It gives details of the penalties handed out by EU authorities for GDPR non-compliance. Keep in mind that not all fines are made public so the list isn't complete but it's still impressive with 1430 entries ranging from 746 million EURO to 28 EURO fine.

Let's take a look at the biggest GDPR fines so far.

Amazon — €746 million ($887 million)

Amazon's GDPR fine is top of the list by a clear country mile. In fact, it's €300 million more than the next entry on our list. The mammoth fine was delivered by Luxembourg's National Commission for Data Protection in July 2021.

Few details are known about the actual complaint but it stemmed from how Amazon used consumer data for targeted advertising. The claim was that the retail giant's system wasn't based on ”free consent”.

Amazon appealed the decision calling the fine “entirely out of proportion”. Although the fine is staggering, it could have been a lot worse when you consider Amazon's annual turnover in 2020 was $386.064 billion. If GDPR wanted to stick to their 4% rule, they could have been fined up to $15.44256 billion. So we don't feel too sorry for them!

Instagram — €405 million ($401 million)

In September 2022, Ireland's Data Protection Commissioner (DPC) ended a two-year investigation by levying a fine of €405 million on Instagram, the second-highest GDPR fine to date. So what did the Meta-owned social media platform do to justify such a huge penalty?

Instagram gave users the ability to change their personal account to a business account. A business account gives users extra visibility into their accounts with certain metrics such as how many people have visited their profile and individual post views.

Sounds good. But there are two factors that made this a recipe for a massive GDPR fine...

1- At that time, business accounts published phone numbers and email addresses by default.

2- 60 million Instagram users are under the age of 18. (The minimum age for Instagram registration is 13 years old.)

Many under-18 users made the switch, blissfully unaware that by doing so their contact information was now exposed.

In a statement, Instagram declared that they were fully engaging with the Irish data regulator in their investigations but disagreed with the calculations for the fine and intend to appeal it.

Don't they all?

Meta Platforms Ireland Ltd. - €390million ($422m)

The Irish Data Protection Commission was at it again, handing out a hefty fine of €390 million to Meta in January 2023 for violating EU data rules. The DPC found Meta’s method of obtaining consent for using individuals' data in ads on the platforms to be illegal.

While Meta expressed disappointment, it emphasized that personalized advertising won’t be halted. The regulator hit back by highlighting that platforms like Facebook and Instagram can’t coerce consent by making it a condition to use their services.

The DPC's decision was seen as a win by privacy advocates, signaling that Meta will need to offer genuine choices to users regarding how their data is utilized for online ads.

However, the choice EU users have now been given is either to pay for privacy or agree to have their data used just as it was before. There will be two tiers of subscriptions costing €9.99 or €12.99 a month, depending on whether they want to access the platforms via the web or an app on their smartphones.

TikTok Ltd - €345million ($375m)

TikTok faced a whopping €345 million fine from the Irish Data Protection Commission (DPC) in September 2023 due to breaching GDPR rules concerning children's data.

The DPC's decision culminated from an intense two-year investigation into TikTok's privacy practices.

It was found that child user profiles defaulted to public settings, allowing unrestricted access to posted content by anyone. Even though kids could set their accounts to private during setup, they were given the option to skip this step, leading to potential breaches.

The 'Family Pairing' feature enabled non-verified adults to link their accounts to children's, posing significant risks by allowing direct messaging.

The investigation also found that TikTok lacked clear transparency for child users, with a vaguely worded privacy notice that caused confusion over who could access content.

TikTok also used 'Dark Patterns,' to nudge users into sharing more private data, which goes against GDPR fairness guidelines.

In response, TikTok was ordered to align its handling of child user data within three months and face the fine.

TikTok disagreed with the decision, especially the magnitude of the fine, claiming that the problems with the features criticized had already been addressed before the investigation.

WhatsApp Ireland Ltd — €225 million ($255 million)

WhatsApp's parent company Meta was hit with a massive €225 million fine for failing to fully communicate to their EU users how their data is used. The fine came in August 2021 after a three-year investigation again by the Irish DPC. The main issue was the lack of transparency on how WhatsApp shared user data with Facebook.

Although WhatsApp did appeal the commission's decision, it did also rewrite its privacy policy to include more details on how customer data is collected and used, how it's stored, and when it's deleted.

Incidentally, in the 72 hours after WhatsApp published its new policy, competitor messaging service Telegram recorded 25 million new users. Coincidence? Perhaps not.

Google LLC — €90 million ($102 million)

This Google fine is part one of a double-whammy for Google putting them in the third AND fifth spot on our list of the biggest GDPR fines. In December 2021, French data regulator, CNIL issued a €90 million fine to the California-based Google LLC and an additional €60 million fine to Google Ireland.

The combined €150 million GDPR fine was in result of French users of Google and YouTube being unable to easily refuse cookies. CNIL found that in order to decline cookies, users had to make several more clicks than it took to accept them.

The French authority justified the hefty amounts by the number of people affected and the considerable profit Google generates from the cookie-collected data.

Facebook Ireland Ltd — €60 million ($68 million)

This particular Facebook fine also came from CNIL, at the same time as the Google penalties, and for the very same reason. Like Google, Facebook had failed to give its French users an easy way to refuse cookies. Where accepting cookies was as easy as one click, refusing them required several.

Interestingly, Facebook had requested that the French data regulator not make the decision public. CNIL decided that due to the amount of data and the number of people affected, the infringement was serious enough to warrant a publicly declared fine.

Google Ireland Ltd — €60 million ($68 million)

This is the second part of Google's combined €150 million GDPR fine in December 2021, which saw Google's Irish office fined €60 million. In addition to the fines, CNIL also declared that the company had three months to rectify the cookie refusal issue. If it failed to do so within the time frame, each entity would also have to pay a penalty of €100,000 per day until it was fixed.

It was fixed pretty quickly. They maybe learned their lesson after the last GDPR fine...

Google LLC — €50 million ($56.8 million)

Google's first landmark fine was levied back in January 2019, when CNIL hit them with a €50 million fine. At that point, it was the biggest GDPR fine so far.

The French regulator found Google lacked transparency when it came to informing users about Google's data processing purposes and storage periods. According to the findings, the information was presented in different places and required users to make multiple clicks to obtain the details.

And when they did get to the details, they were considered to be too generic and vague. This insufficient information then led the commission to declare that Google hadn't properly obtained user consent for personalized ads.

Criteo - €40million ($43million)

French ad tech giant Criteo found itself in hot water in June 2023 when it faced a revised fine of €40 million for mishandling user consent in targeted advertising.

The case was initiated in 2018 when Privacy International raised concerns about data processing in the ad tech industry, naming Criteo among the players.

Key issues revolved around Criteo's sophisticated tracking tactics for hyper-focused ad targeting, which Privacy International dubbed a "manipulation machine."

CNIL, France's data privacy watchdog, investigated and initially fined the company €60 million. However, Criteo appealed, arguing its actions were unintentional and caused no harm since the data was pseudonymized.

Despite cutting the fine by one-third, Criteo maintains its innocence and plans to appeal again, citing disproportionate penalties compared to industry peers like Google and Meta.

H&M — €35 million ($41 million)

In October 2020, the clothing retailer came under the GDPR spotlight for data protection violations in the H&M Service Center based in Nuremberg. The company had recorded back-to-work meetings with employees which were mandatory after any period of leave.

The recordings had been made available to up to 50 managers throughout the organization without the employees' knowledge or prior consent.

The practice was only brought to light when the data collected was accidentally made accessible company-wide in October 2019 due to a system configuration error.

The videos contained personal and private information, including medical details. The information contained was also used to make employee profiles to inform decisions about their ongoing employment.

Seriously, H&M?! It's surprising that the Hamburg Commissioner for Data Protection and Freedom of Information imposed didn't give them a much higher penalty for such a blatant violation of privacy. It's not only one of the biggest GDPR fines but possibly one of the most shocking.

TIM — €27.8 million ($31.5 million)

In January 2020, the Italian telecommunications company was issued a €27.8 million fine by the Italian Data Protection Authority (Garante).

The reason was a long list of data collection and processing violations regarding lack of proper consent, improper management of consent lists, an excessive data retention period, not responding to data breaches, and hundreds of complaints for aggressive promotional campaigns.

TIM had been found to have made millions of cold calls to non-customers, many of whom were registered on Italy's do-not-call list. Some numbers were even called 155 times in a month! The investigation also found that the calls continued even after the data subjects objected.

The Italian regulator defended the high penalty saying it was deserved due to the millions affected and the lack of accountability shown by TIM.

Enel Energia — €26.5 million ($29.3 million)

The Italian data protection authority was on a roll in January 2020, with another huge GDPR fine, this time to energy company Enel Energia. The multinational electric and gas supplier was fined €26.5 million after an investigation triggered after the regulators received hundreds of complaints of unsolicited promo calls.

The investigation found multiple GDPR violations beyond the invasive promotional calls that were made without prior consent. Like TIM, many of these calls were made to off-directory users or users on the opt-out register. The energy company also failed to correctly manage or respond to users' requests to access their personal data or to objections to processing their data for marketing purposes. Their lack of action brought them to our list of biggest GDPR fines so far.

British Airways — €22 million ($26 million)

In October 2020, British Airways was hit with a whopping €22 million GDPR fine by the UK's Information Commissioner's Office (ICO). The fine was a penalty for the BA data breach back in 2018 that affected 400,000 customers. BA systems were hacked, exposing customers' log-in credentials, and financial details, as well as names and addresses.

After a two-year investigation, the ICO concluded that BA's security measures were insufficient for the significant amounts of personal data, thus breaking the data protection law. It also didn't look good that it had taken the airline more than two months to even notice they had suffered a breach.

Although the amount was eye-watering enough and is the largest fine issued by the ICO, it could have been a lot worse. The privacy watchdog had initially proposed a fine of €183 million back in 2019 but adjusted it in light of the economic impact of the COVID-19 pandemic. It's still epic enough to make the list of the biggest GDPR fines so far.

Marriott— €20.4 million ($23.8 million)

The ICO handed out another huge GDPR non-compliance fine in October 2020 to the hotel chain, Marriott after 383 million guest records (30 million of them EU residents) were exposed in a data breach.

The hack dated back to 2014 when the reservation system of Marriott's subsidiary hotel, Starwood, was compromised. Although the incident took place before Marriott acquired the Starwood Group (in 2016), the incident wasn't discovered until 2018, making them liable.

Again, Marriott was “saved” by COVID, as the ICO decided to lower the fine by about €100 million. It's still a staggering enough figure to make the list of biggest GDPR fines ever, and the data breach itself has also made it to our wall of shame by featuring in our blog: The Biggest Data Breaches of All Time.

Of course, GDPR isn't the only data privacy law out there to hold organizations to account. The California Consumer Privacy Act (CCPA) has also been used to penalize companies that don't take consumer privacy seriously. You can read more here: A Lesson in CCPA Compliance: The Sephora Story