Following the introduction of GDPR in May 2018, initial reports showed that data breach complaints increased by 160%. This rate is alarming and indicates just how critical it is to ensure staff receive comprehensive GDPR training
Top 20 GDPR fines so far
- Meta Platforms Ireland Ltd. - €1.2bn fine (2023)
- Amazon Europe - €746m fine (2021)
- Meta Platforms, Inc. - €405m fine (2022)
- Meta Platforms Ireland Ltd. - €390m fine (2023)
- TikTok Ltd - €345m fine (2023)
- Meta Platforms Ireland Limited - €265m fine (2022)
- WhatsApp Ireland - €225m fine (2021)
- Google Inc - €50m fine (2019)
- Criteo - €40m fine (2023)
- H&M - €35.3m fine (2020)
- TIM - €27.8m fine (2020)
- British Airways - €22m fine (2020)
- Clearview AI Inc. - €20m fine (2022)
- Marriott International - €20m fine (2020)
- Meta Platforms Ireland Ltd. - €17m fine (2022)
- Wind Tre - €16.7m fine (2020)
- Deutsche Wohnen – €14.5m fine (2019)
- TikTok - £12.7m fine (2023)
- Vodafone Italia - €12.25m fine (2020)
- Eni Gas e Luce - €11.5m fine (2020)
In 2018, the total amount of fines issued for the year was only €436,000. This, clearly, ramped up in the years that followed. The biggest 20 GDPR fines from the past five years reveal some key takeaways.
Firstly, 2021 recorded two heavyweights in terms of penalty amounts. The fines dished out to Amazon Europe, and WhatsApp Ireland are in a league of their own, at least for their time.
Secondly, there's little evidence of firms learning a lesson from these penalties. There are multiple repeat offenders on this list.
Finally, it appears that either fines are getting steeper or the breaches are becoming more serious with time. After a year of relatively low fines in 2019, the following two years saw some hefty penalties. In recent times, 2022 and 2023 have a near-even split, although 2023 has seen the largest GDPR fine ever issued and has three of the top five all-time fines.
We continuously track the largest GDPR fines each year. If you're interested in the full details, have a look at the all-time biggest ICO fines, the highest GDPR fines in 2019, 2020, 2021, fines in 2022 and the most recent fines in 2023.
The 20 biggest GDPR fines in detail
1. Meta Platforms Ireland Ltd. - €1.2bn fine
GDPR breaches - Art. 46 (1)
Ireland's Data Protection Commission (DPC) found Meta to be in violation of GDPR international transfer guidelines. The record-breaking fine of €1.2bn was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States (US).
At the heart of the breach is Meta's transfer of data to the US on the basis of standard contractual clauses since 2020. This is the only valid way to transfer data between the EU and the US, provided there is an adequate level of data protection which Meta failed to provide.
In addition to the fine, Meta has been ordered to bring its data transfers into compliance with the GDPR. Meta has stated that it will appeal this decision.
2. Amazon Europe - €746m fine (2021)
GDPR breaches - Non-compliance with general data processing principles
In 2021, Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon Europe a record-breaking €746 million in respect of how it uses customer data for targeted advertising purposes.
In 2018, the French privacy rights group La Quadrature du Net submitted a complaint.
The complaint - which also targeted Apple, Facebook, Google and LinkedIn - was filed on behalf of more than 10,000 customers. It alleged that Amazon had manipulated customers for commercial means by choosing what advertising and information they received.
The CNPD ruled that Amazon must commit to changing its business practices.
3. Meta Platforms, Inc. - €405m fine (2022)
GDPR breaches - Art. 5 (1) a), c), Art. 6 (1), Art. 12 (1), Art. 24, Art. 25 (1), (2), Art. 35
The Data Protection Commission (DPC) issued a fine to Meta Platforms Ireland Ltd. (Instagram) of €405m which includes a fine of €20m for the infringement of Article 6(1). This is one of the all-time biggest GDPR fines. An inquiry into the company investigated the processing of personal data of child users on the social networking service Instagram.
The DPC conducted a thorough investigation and submitted a draft decision to all peer regulators in the EU. After they couldn't reach a consensus, the case was referred to the European Data Protection Board ("EDPB"). In the end, the DPC's original recommended fine amount was imposed, and the DPC issued a reprimand to the company with an order requiring specified remedial actions.
4. Meta Platforms Ireland Ltd. - €390m fine
GDPR breaches - Art. 5 (1) a), Art. 6 (1), Art. 12, Art. 13 (1) c)
Meta Platforms Ireland Ltd. makes a second appearance for the year with a €390m fine for requesting to use people's data for ads on Facebook and Instagram in an unlawful manner. The regulator states that Meta cannot force consent by asking consumers to accept how their data is used or leave the platform.
During the investigation, the Irish Data Protection Commission (DPC) also found that Meta was not clear enough about how and why it would use a user's data.
5. TikTok Ltd - €345m fine (2023)
GDPR breaches - Art. 5 (1) c), 5 (1) f), Art. 12 (1), Art. 13 (1) e), Art. 24 (1), Art. 25 (1), (2)
Irish Data Protection Commissioner (DPC) has fined TikTok €345m for breaching a number of GDPR rules, including putting 13-17-year-old users' accounts on default public setting.
This failure to shield underage users from public view was coupled with not supplying these users with transparent information and not checking if the adult who 'paired' with the child in the 'family pairing' scheme was, in fact, a parent or guardian.
Furthermore, the DPC found that TikTok didn't take into account the risk posed to underage users who gained access to the platform.
6. Meta Platforms Ireland Limited - €265m fine (2022)
GDPR breaches - Art. 25 (1), (2)
Meta Platforms Ireland Limited (MPIL), the data controller of 'Facebook' social media network, has been issued a fine of €265m along with corrective measures. This is one of the largest fines since the beginning of GDPR.
The inquiry began after reports that a collated dataset of Facebook personal data was made available on the internet. The main issues in the inquiry involved questions of compliance with the GDPR obligation for Data Protection by Design and Default.
After a comprehensive investigation, the DPC found MPIL in breach of Articles 25(1) and 25(2) GDPR, and the supervisory authorities agreed with the final decision.
7. WhatsApp Ireland - €225m fine (2021)
GDPR breaches - Articles 5, 12, 13, 14
Ireland's data authority fined WhatsApp £193m in 2021 for violating privacy standards. It's the highest penalty the Irish Data Protection Commission (DPC) has ever imposed and the second-highest under EU GDPR standards.
A 2018 investigation revealed that WhatsApp was not transparent enough, with its customers, on how it collected, managed and processed their data. Following "a lengthy and comprehensive investigation," the Irish DPC said it had communicated its decision to other regulators, as required under GDPR law, and had received complaints from eight countries, including Germany, France, and Italy.
8. Google Inc - €50m fine (2019)
GDPR breaches - Articles 4, 5, 6, 13, 14
In one of the most high-profile cases of 2019, the French data regulator (CNIL) fined Google an astounding €50 million.
The fine was for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several documents, hindering users from knowing their full extent.
Additionally, the choice to receive personalised ads was “pre-ticked” upon opening a new account, directly defying the GDPR.
9. Criteo - €40m fine (2023)
GDPR breaches - Art. 7 (1), (3), Art. 12, Art. 13, Art. 15 (1), Art. 17 (1), Art. 26
French Data Protection Authority (CNIL) hasfined Criteo, an online advertising specialist, €40 million in response to complaints from non-profit organisationsPrivacy International and None of Your Business (NOYB).
CNIL's decision cites Criteo's failure to ensure that its partners, such as publishers, obtained user consent for using Criteo's cookies. Although partners are primarily responsible for obtaining consent from users, CNIL still holds Criteo responsible for verifying this consent.
The €40 million penalty amounts to approximately 2% of the company's global revenue, reduced from an initial proposal of €60 million by CNIL rapporteurs.
10. H&M - €35.3m fine (2020)
GDPR breaches - Articles 5, 6
In 2020, the Data Protection Authority in Hamburg fined H&M €35m for the illegal surveillance of its employees.
After employees took a holiday or sick leave, they had to attend a return-to-work meeting. The company recorded some of these meetings, and the data was accessible to over 50 H&M managers.
This resulted in the company keeping "excessive" records on its workforce's families, religions, and illnesses at its Nuremberg service centre. The company then used the data to help evaluate employees’ performance and make decisions about their employment.
11. TIM - €27.8m fine (2020)
GDPR breaches - Articles 5, 6, 7, 17, 21, 32
Italian data protection regulator Garante fined telecoms provider TIM €27.8 million in 2020 for its cavalier approach to telemarketing and other GDPR breaches.
First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt-out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over a month!
Second, the privacy notices for TIM apps and promotions were not transparent, and it was unclear why they would use the data. Consent was also incorrectly managed and often invalid - with a single consent used for multiple purposes.
Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.
12. British Airways - €22m fine (2020)
GDPR breaches - Article 5(1), 32
The ICO fined British Airways €22m in 2020 after failing to protect the personal data of more than 400,000 customers.
The investigation found that the airline was processing a significant amount of personal data without adequate security measures. This failure broke data protection law, and, subsequently, BA was the subject of a cyberattack in 2018, which it did not detect for more than two months.
The attacker potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details the attacker accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts, and usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.
Initially, British Airways was fined an eye-watering £183m for its GDPR failings in July 2019. However, this was reduced to €22m due to the economic impact of COVID-19.
13. Clearview AI Inc. - €20m fine (2022)
GDPR breaches - Art. 5 (1) a), b), e), Art. 6, Art. 9, Art. 12, Art. 13, Art. 14, Art. 15, Art. 27
The facial recognition firm, Clearview AI has been fined €20m by Italy's data protection agency for breaches of EU law. Upon investigation, the authorities found that the personal data the company holds is processed illegally. This data includes biometric and geolocation information.
Furthermore, the company was found to be in breach of transparency obligations since they had neglected to inform users of what they were doing with their selfies and using user data for purposes other than what was published online.
14. Marriott International - €20m fine (2020)
GDPR breach - Article 32
Marriott International Inc failed to keep millions of customers’ personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, when Marriott had acquired the company.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Although this is a large fine, it is significantly less than the fine of £99m that the Information Commissioner's Office (ICO) initially issued.
15. Meta Platforms Ireland Ltd. - €17m fine (2022)
GDPR breaches - Art. 5 (2), Art. 24 (1)
The Data Protection Commission (DPC) imposed a fine of €17m on Meta Platforms. An investigation into the company formally known as Facebook Ireland Ltd found that they failed to have appropriate technical and organisational measures in place.
This meant that they could not readily demonstrate the security measures that it implemented in practice to protect EU users’ data. This is in the context of twelve personal data breaches.
16. Wind Tre - €16.7m fine (2020)
GDPR breaches - Article 5, 6, 12, 24, 25
Garante, the Italian data protection authority, issued a €16.7 million fine against Wind Tre in 2020 for several unlawful data processing activities concerning direct marketing practices.
Following an extensive investigation, Garante discovered that hundreds of complainants received unsolicited communications sent without their previous consent, through SMS, email, phone calls, and automated calls. They were also unable to exercise their right to withdraw consent and oppose the processing for direct marketing purposes.
Claimants' data was published on public telephone lists despite their opposition. In addition to this, Garante found that Wind Tre's apps 'MyWind' and 'My3' required users to provide their consent for different processing activities with every access. They were only allowed to withdraw their “consent” after a 24-hour window.
17. Deutsche Wohnen – €14.5m fine (2019)
GDPR breaches - Article 5/25
One of Germany’s most prominent real estate companies, Deutsche Wohnen, was issued a €14.5 million fine in 2019, which was the largest in the country since the GDPR came into effect.
According to the Data Protection Authority of Berlin, the company didn't comply with general data processing principles. Personal data that the company should have erased years ago was still accessible by employees.
The fine was originally meant to be almost twice as large at €28 million. But the Berlin Commissioner considered that the company cooperated immediately and attempted to fix the issues. Because no other data abuses occurred, they lowered the fine.
18. TikTok - £12.7m fine
GDPR breaches - Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR
The Information Commissioner's Office (ICO) has fined TikTok £12.7m for a number of breaches which include illegally processing the data of 1.4m children under the age of 13. The regulator found that TikTok didn't do enough to prevent under-13s from accessing the platform, and they failed to conduct adequate checks.
Furthermore, the ICO identified that TikTok failed to ensure personal data belonging to UK users was lawfully processed in a fair and transparent manner. Following the investigation, the ICO has published a Children's Code to help protect children in the digital world.
19. Vodafone Italia - €12.25m fine (2020)
GDPR breaches - Articles 5(1) (2), 6(1), 7, 15(1), 16, 21, 24, 25(1), 32, 33
Garante fined Vodafone Italia €12.25m in 2020 over aggressive telemarketing practices.
Garante launched its investigation after receiving ‘hundreds’ of complaints about nuisance calls from Vodafone’s sales networks. It found that Vodafone’s customer information storage system had multiple flaws. The company had purchased contacts lists from external providers – with the information of up to 4.5 million people secured without user consent.
Vodafone justified the unwanted communication as human error, but this was not deemed an appropriate excuse by the regulator, with other factors including the ‘significantly negligent nature’ and recurrence of the calls.
The regulator has ordered Vodafone to overhaul its telemarketing procedures in Italy and was prohibited from processing personal data acquired from third parties without first gaining user consent.
20. Eni Gas e Luce - €11.5m fine (2020)
GDPR breaches - Articles 5, 6, 7, 21, 32
In Italy, Eni Gas e Luce (Egl) was fined €11.5 million in 2020 by the data protection watchdog for illegal processing of personal data and activating unsolicited contracts.
Its first fine (€8.5m) related to the unlawful processing of personal information for telemarketing and telesales purposes. An investigation found widespread violations, including:
- Marketing calls made to individuals without their consent or despite them objecting to marketing calls.
- Inadequate procedures for checking the public "opt-out" register.
- No technical or organisational measures to log consent.
- Keeping personal data for longer than is necessary.
- Acquiring personal information from other entities without checking consent.
The second fine of €3m was for unsolicited contracts to supply gas and electricity. Around 7,200 individuals learned of the new contract with the first bill or the termination of contract letter from their previous supplier. Customers complained of forged signatures and incorrect information.
Infamous pre-GDPR data breaches
Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That’s one for every seven or eight people on the planet!
But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner Verizon discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That’s every single account under the Yahoo name, including Flickr and Tumblr.
The breaches knocked a huge chunk off Yahoo’s sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages- of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).
But, what would have happened if this breach had taken place post-GDPR?
Of course, the scope of the breach was significant. But, what would have been crucial today, was that Yahoo didn’t disclose the extent of the breach within 72 hours as the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!
Facebook, now known as Meta, was slapped with the £500,000 fine for its role in the well-documentedCambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.
Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.
Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.
The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.