GDPR fines: you’ve surely heard about companies that have been fined millions because they weren’t GDPR-compliant. In fact, these sanctions can pose serious consequences for businesses of all sizes.
It’s not only about the monetary value of the sanction, but also about the reputational damage that comes with it.
In this post, we’ll go over the biggest GDPR fines issued so far, to help you understand which are the criteria that European Data Protection Authorities take into consideration when evaluating GDPR breaches.
But first, let’s quickly recap…
Fines for non-compliance can go up to 20 million euros, or 4% of the annual worldwide turnover (whichever is greater).
Users have the right to file a complaint with a supervisory authority if they feel that the processing of their data wasn’t GDPR-compliant, and ask for compensation for any damages.
Moreover, these sanctions can also include official reprimands (for first-time violations), periodic data protection audits and liability damages.
Let’s go over the largest GDPR fines issued so far.
The biggest GDPR fine was issued by the Luxembourg DPA on July 16th, 2021. The DPA fined Amazon Europe 746 million euros, after a series of 10,000 complaints filed by the French group La Quadrature du Net.
The Authority found that Amazon was showing targeted advertising without the users’ proper consent.
On September 5th, 2022, Ireland’s Data Protection Commission issued a 405 million euro fine to Meta Platforms, Inc.
The DPC investigated the processing of children’s personal data and found that the company was publicly disclosing email addresses and/or phone numbers of children using the Instagram business account feature.
👉 Want more details on this story? Check our blog!
On January 4th, 2023, Ireland’s Data Protection Commission (DPC) issued another 390 million euro fine against Meta Ireland Limited.
After NOYB filed three different complaints, the DPC concluded that the processing on the basis of a contract for personalized ads is not GDPR-compliant. Meta was relying on a consent clause in their Terms of Service to show its users personalized ads.
👉 This story is way more complicated than this. We tried to shed some light in our article here.
On November 25th, 2022, Ireland’s DPC fined Meta 265 million euros.
The DPA launched an investigation in April 2021, after media reports discovered that Facebook’s dataset had been made available on the internet. This data breach affected the personal information of 533 million users.
Meta was fined because it wasn’t complying with the principles of Privacy by Design and Privacy by Default stated in the GDPR.
On September 2nd, 2021, Ireland’s Data Protection Commission issued a 225 million euro fine against WhatsApp Ireland, in conclusion to an investigation that had started in 2018.
WhatsApp wasn’t complying with the GDPR principle of transparency, not giving users enough information about its processing activities and the legal basis it was using.
On December 31, 2021, the CNIL issued a 90 million euro fine to GOOGLE LLC, because it wasn’t complying with the French Data Protection Act.
In particular, the CNIL found that YouTube users couldn’t reject cookies as easily as they could accept them. Besides the fine, Google LLC was given three months to change the look and functioning of its cookie banner.
A smaller fine of 60 million euros was issued by the CNIL to Google Ireland Ltd.
The reason was always the same as above, but it referred to the website google.fr.
On the same day, December 31, 2021, the CNIL also fined Facebook Ireland 60 million euros.
The reason was the same: Facebook users couldn’t reject cookies as easily as they could accept them.
On January 19th, 2019, CNIL fined Google LLC 50 million euros after a series of complaints by NOYB and La Quadrature du Net.
The main reason for this fine was a lack of transparency, unsatisfying information and lack of valid consent. Users didn’t have enough information about the processing of their personal data.
This was one of the first big fines issued under GDPR.
On October 1st, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information issued a 35.2 million euros fine to H&M.
Since at least 2014, parts of the employees were subject to an extensive recording of details about their private lives. These details – such as vacation experiences, but also symptoms of illness and diagnoses – were then recorded, stored, and used to make decisions about their employment.
The DPA became aware of this violation only because, due to a technical error, the data was accessible to everyone in the company for a few hours.
While these sanctions are huge, there are also smaller fines that are issued every day. European DPAs are very active in monitoring GDPR compliance.
Here is the top 10 EU countries with the highest number of GDPR fines issued so far:
Yes, it can happen. Of course, your small business won’t probably receive a fine as huge as the ones above, but even a smaller amount can really impact your processes.
Also, don’t forget that a monetary sanction isn’t the only consequence of non-compliance: official reprimands, periodic data protection audits and liability damages can be as scary as a fine. Not to mention the reputational damage a GDPR sanction can cause.
But don’t worry! GDPR compliance doesn’t have to be difficult.
