It has been a record-breaking year for GDPR fines, and we still have over a quarter of 2023 remaining. We explain the reasons for these fines and provide tips on how to prevent your company from committing similar breaches!
Top GDPR fines in 2023
- Meta Platforms Ireland Ltd. - €1.2bn fine
- Meta Platforms Ireland Ltd. - €390m fine
- TikTok Ltd - €345m fine
- Criteo - €40m fine
- TikTok - £12.7m fine
- TIM SpA - €7.6m fine
- WhatsApp Ireland Ltd. - €5.5m fine
- Clearview AI Inc - €5.2m penalty
- Spotify - €4.9m fine
- Trygg-Hansa - €3m fine
- B2 Kapital - €2.2m fine
The biggest 2023 GDPR fines in detail
1. Meta Platforms Ireland Ltd. - €1.2bn fine
GDPR breaches - Art. 46 (1)
Ireland's Data Protection Commission (DPC) found Meta to be in violation of GDPR international transfer guidelines. The record-breaking fine of €1.2bn was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States (US).
At the heart of the breach is Meta's transfer of data to the US on the basis of standard contractual clauses since 2020. This is the only valid way to transfer data between the EU and the US, provided there is an adequate level of data protection which Meta failed to provide.
In addition to the fine, Meta has been ordered to bring its data transfers into compliance with the GDPR. Meta has stated that it will appeal this decision.
2. Meta Platforms Ireland Ltd. - €390m fine
GDPR breaches - Art. 5 (1) a), Art. 6 (1), Art. 12, Art. 13 (1) c)
Meta Platforms Ireland Ltd. makes a second appearance for the year with a €390m fine for requesting to use people's data for ads on Facebook and Instagram in an unlawful manner. The regulator states that Meta cannot force consent by asking consumers to accept how their data is used or leave the platform.
During the investigation, the Irish Data Protection Commission (DPC) also found that Meta was not clear enough about how and why it would use a user's data.
3. TikTok Ltd - €345m fine
Irish Data Protection Commissioner (DPC) has fined TikTok €345m for breaching a number of GDPR rules, including putting 13-17-year-old users' accounts on default public setting.
This failure to shield underage users from public view was coupled with not supplying these users with transparent information and not checking if the adult who 'paired' with the child in the 'family pairing' scheme was, in fact, a parent or guardian.
Furthermore, the DPC found that TikTok didn't take into account the risk posed to underage users who gained access to the platform.
4. Criteo - €40m fine
GDPR breaches - Art. 7 (1), (3), Art. 12, Art. 13, Art. 15 (1), Art. 17 (1), Art. 26
French Data Protection Authority (CNIL) has fined Criteo, an online advertising specialist, €40 million in response to complaints from non-profit organisations Privacy International and None of Your Business (NOYB).
CNIL's decision cites Criteo's failure to ensure that its partners, such as publishers, obtained user consent for using Criteo's cookies. Although partners are primarily responsible for obtaining consent from users, CNIL still holds Criteo responsible for verifying this consent.
The €40 million penalty amounts to approximately 2% of the company's global revenue, reduced from an initial proposal of €60 million by CNIL rapporteurs.
5. TikTok - £12.7m fine
GDPR breaches - Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR
The Information Commissioner's Office (ICO) has fined TikTok £12.7m for a number of breaches which include illegally processing the data of 1.4m children under the age of 13. The regulator found that TikTok didn't do enough to prevent under-13s from accessing the platform, and they failed to conduct adequate checks.
Furthermore, the ICO identified that TikTok failed to ensure personal data belonging to UK users was lawfully processed in a fair and transparent manner. Following the investigation, the ICO has published a Children's Code to help protect children in the digital world.
6. TIM SpA - €7.6m fine
GDPR breaches - Art. 5 (2), Art. 6, Art. 7, Art. 12 (2), (3), Art. 13, Art. 14, Art. 15 (1), Art. 32 (1) b)
Italian Data Protection Authority issued a €7.6m fine to telemarketing company TIM SpA for inadequate supervision of abusive call centres. The company has been the subject of previous investigations and still has room for improvement when it comes to data processing.
The investigation found that the company inadequately responded to requests from individuals to exercise their data subject rights and published personal data in public telephone directories without getting consent.
7. WhatsApp Ireland Ltd. - €5.5m fine
GDPR breaches - Art. 6 (1), Art. 12, Art. 13 (1) c)
The Irish watchdog has fined WhatsApp Ireland Ltd an amount of €5.5m for forcing users to consent to allow personal data to be used for "service improvements and security". This case is similar to the one against Meta Platforms Ireland Ltd., which also dates back to May 2018.
In addition to the fine, WhatsApp Ireland Ltd has also been ordered to bring its data processing operations into compliance with EU privacy rules within six months.
8. Clearview AI Inc. - €5.2m penalty
GDPR breaches - penalty for failure to comply with privacy orders
Clearview AI Inc. is in hot water again after failing to comply with the French regulator's orders. Following the issued fine of €20m and an order to not collect and process the data of individuals in France without any legal basis, Clearview AI has failed to cooperate after two months.
The French regulator, CNIL, has therefore imposed a penalty payment of €5.2m to be paid in addition to the outstanding fine amount.
9. Spotify - €4.9m fine
GDPR breaches - Art. 12 (1), Art. 15 (1), (2)
Music streaming platform Spotify has been issued with a fine of SEK 58 million (€4.9m) in Sweden for breaching the data access rights of its users. The Swedish Authority for Privacy Protection (IMY) found that Spotify was not transparent in how it collected data on its users is used.
Since Spotify is used in many countries, the ruling was made with other data protection authorities in the EU. Spotify rejects the IMY's findings and intends to appeal the decision.
10. Trygg-Hansa - €3m fine
GDPR breaches - Art. 5 (1) f), Art. 32 (1)
The Swedish Data Protection Authority (IMY) issued a fine of SEK 35 million (approximately €2,915,316) to Tryg Forsikring A/S (Trygg-Hansa) for breaching the General Data Protection Regulation (GDPR) following a complaint.
IMY received a complaint in December 2020, alleging that Trygg-Hansa had allowed unauthorised access to sensitive personal data of its customers. Upon investigation, IMY found that Trygg-Hansa processed the personal data of approximately 650,000 individuals, including names, contact details, health information, social security numbers, financial data, insurance records, event details, and property information.
This data breach exposed sensitive health information, and this was accessible on the internet without requiring authentication. IMY noted that 202 customers' data was affected, and this unauthorised access occurred from October 2018 to February 2021.
11. B2 Kapital - €2.2m fine
GDPR breaches - Art. 6 (1), Art. 13 (1), Art. 28 (3), Art. 32 (1) b), d), Art. 32 (2)
Data controller, B2 Kapital, has been fined €2.2m for the unauthorised processing of personal data. The Personal Data Protection Agency ('AZOP') in Croatia found that B2 Kapital had failed to inform data subjects about the processing of their data. The lack of transparency is a breach of GDPR.
Furthermore, the data controller didn't conclude a contract with the data processor for the service of monitoring simple consumer bankruptcy, which rendered the personal data at risk. The investigation found that B2 Kapital failed to apply appropriate technical and organisational protection measures.
What can we learn from these GDPR fines?
In some instances, the only conclusion is that the companies involved seemed to have forgotten that the GDPR existed. However, amongst the other penalties, there are some common themes to be learned from:
- Always make proper disclosures to individuals (in contracts and privacy notices) about what personal data you process and your lawful basis for doing so.
- Never use personal information in unfair, detrimental, unexpected, or misleading ways.
- Ensure personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies.
- Set up procedures and enforce rules to keep personal data secure - don't underestimate the inconvenience, worry or distress to individuals if their personal data is lost or stolen.
- Appoint a Data Protection Officer (DPO), someone with overall responsibility who can ensure proper governance and accountability across your company.
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.