Top 10 Biggest GDPR Fines in History (So Far)

In January 2019, CNIL slapped Google with a whopping €50 million fine due to its lacklustre data privacy policy. The issue stemmed from Google's data collection practices while setting up Android devices and creating a Google account.  When users set up their Android phones, CNIL found  Google's privacy policy to be unclear and complex and failing to properly explain how data would be collected and used for personalized advertising. The information presented during Google account creation was also considered insufficient, leaving users unaware of the extent to which their data would be processed and shared across different Google services.

As the forest multi-million GDPR fine at the time, the decision marked the first major penalty under the newly implemented GDPR. It sparked a global conversation about data privacy the need for stricter regulations and the implementation of privacy by design and default.  It also served as a warning to other tech companies, prompting them to review and adapt their data practices to comply with the GDPR.

The €60 million fine issued to Facebook Ireland in December 2023 is just one of many large GDPR fines issued to Meta on this list, but it still holds significance. On December 31, 2021, France’s National Commission on Informatics and Liberty (CNIL) fined Facebook Ireland Limited €60 million for making it too difficult for users to remove cookies from their platform. According to a filing by the data privacy watchdog, Facebook made it much easier for users to accept cookies used for personalized advertising than to reject them.

 It said that the platform’s  "Accept all" button to accept cookies was large and easy to click, while the "Manage data parameters" option was less visible and involved multiple steps to reject cookies. This violated the principle of "informed consent" under the GDPR, which requires offering users a clear and equally convenient way to accept or refuse cookies. The fine served as a warning to companies about the importance of user consent and transparency regarding cookies, while also emphasising the need for a balanced and user-friendly approach to cookie management, offering equal ease for acceptance and rejection.

On December 31, 2021, the French Data Protection Authority, CNIL, fined Google a total of €150 million for making it difficult for users on google.fr and YouTube to refuse or modify cookies. In June of that year, CNIL investigated the sites and found that the refusal mechanism was more complex than accepting cookies. The Restricted Committee judged that this discouraged users from refusing cookies and infringed on Article 82 of the French Data Protection Act. Google LLC and Google Ireland Limited were fined €90 million and €60 million, respectively. 

The crux of the case revolved around the design of Google's cookie banners on google.fr and youtube.com. CNIL found that they made it significantly easier for users to accept all cookies (used for personalized advertising) than to refuse them. These practices were deemed to infringe upon users' right to informed consent under Article 82 of the French Data Protection Act, which aligns with the GDPR. By making it easier to accept cookies than to refuse them, Google was arguably coercing users into consenting to data collection for personalized advertising.

In December 2021, the Irish Data Protection Commission (DPC) hit WhatsApp Ireland with a hefty €225 million fine due to alleged violations of transparency principles concerning how it informed users about its data-sharing practices with Meta. The DPC argued that WhatsApp's privacy policy lacked clarity about the extent of data shared with Meta, including the types of data, purposes of use, and potential onward transfers to third parties. It also believed that the consent mechanism for data sharing with Meta was deemed ambiguous, potentially leading to users unknowingly consenting to a broader scope of data sharing than intended.

While the €225 million fine primarily addressed past transparency issues, it sets a precedent for WhatsApp and other companies that store large amounts of user data. The case also raises broader questions about the complexities of data sharing within corporate groups and the challenges of ensuring transparency across different platforms and services.

In June 2022, Meta Platforms Ireland Limited, the operator of Facebook in the EU, was hit with a €265 million fine by the Irish Data Protection Commission (DPC). This penalty addressed concerns surrounding Meta's legal basis for processing user data, specifically relying on "legitimate interests" without sufficient justification.  The company had been investigated after data on more than 533 million users was discovered on a website for hackers, including users’ names, Facebook IDs, phone numbers, locations, birthdates, and email addresses from over 100 countries. Meta said this data was scraped from Facebook using tools designed to help users find their friends via phone numbers, therefore broadly classifying it as data for “legitimate interests" without specifying how users actually benefit from it. 

Under GDPR, organizations can process personal data based on various legal grounds, including consent and fulfilling contractual obligations. However, this justification requires careful consideration and cannot override individuals' fundamental rights and freedoms. In Meta’s case, the DPC’s investigation found that Meta was relying on "legitimate interests" for scraping conducted between May 2018 and September 2019, ultimately breaking GDPR restrictions. 

In January 2023, the DPC imposed a hefty €345 million fine on TikTok for alleged violations related to processing children's data without their consent. Accounts registered by users under 13 were set to public by default, exposing user information and content to anyone online and breaking GDPR data protection rules. Meanwhile, the "family pairing" feature allowed non-child users to connect with children's accounts, potentially leading to inappropriate interactions or exposure to harmful content and sensitive data. 

DPC’s investigation also found that TikTok collected and used the personal data of users under 13, which once again violated GDPR requirements for explicit parental consent. It also revealed that TikTok's privacy policies and information provided to users lacked clarity and age-appropriate language, making it difficult for children to understand how their data was being used.  The €345 million fine serves as a wake-up call for the industry. Platforms must prioritize children's privacy by design, implement robust age-verification mechanisms, and provide clear and transparent information to users. 

In January 2023, Meta was fined €390 million by the DPC for breaking GDPR rules due to the way it asked permission to use peoples' data for ads on Facebook and Instagram. This hefty fine, the largest GDPR fine ever issued to Meta at the time, targeted the way user data was collected and used for personalized advertising across both platforms. Meta relied on pre-checked boxes for users to agree to personalized ads. This "opt-out" approach was deemed to fall short of GDPR's requirement for "freely given, specific, informed and unambiguous consent." 

The investigation was sparked by complaints made in 2018 by privacy campaigner Max Schrems just like the GDPR. came into operation. In order to comply with GDPR both Facebook and Instagram asked users to click "I accept" to indicate that they agreed to updated terms of service setting out how their data would be used in ads. If users did not accept, they were unable to use Facebook or Instagram. The complainants argued that this meant Meta was forcing them to consent to their data being used in targeted ads, which breaches the GDPR. Meta attempted to justify the practice as necessary for fulfilling a contract with users, but the DPC ultimately rejected this argument, highlighting that personalized advertising wasn't essential for accessing the platforms.

In September 2023, Meta Platforms Ireland Limited was hit with a €405 million fine – its largest fine yet – for failing to protect children’s data on Instagram. The DPC revealed that Instagram had allowed users aged between 13 and 17 to operate business accounts on the platform, publicly revealing the users’ phone numbers and email addresses. It also found the platform had operated a user registration system where the accounts of 13-to-17-year-old users were set to “public” by default, which it alleged put their personal information at risk. 

As per the GDPR, Platforms must design features and practices that consider the specific needs and vulnerabilities of children. This includes features like privacy by design, as well as implementing age restrictions to prevent children from harm online. However the DPC believed  Meta failed to provide clear and age-appropriate protections, leading to some young users accidentally exposing their personal data without realising it. 

In July 2021, the Luxembourg National Commission for Data Protection (CNPD) dropped a €746 million bombshell on Amazon by imposing the largest GDPR fine issued at the time. This monumental penalty stemmed from alleged violations of transparency principles related to personalized advertising and data use on Amazon platforms. The CNPD investigation found that Amazon's data processing practices for personalized advertising lacked transparency and clarity, falling short of GDPR's strict requirements. It also deemed that the process for users to consent to data use for personalized advertising was ambiguous and confusing, and its opt-in/opt-out options weren't presented clearly, so customers were being misled about how Amazon was using their data. 

As per the GDPR, Companies must offer transparent and straightforward information for users to understand and consent to data processing practices. Privacy policies and information about data use should be written in clear and concise language, and easily accessible to users. In Amazon’s case, however, its instructions were simply too complicated for people to understand. Users lacked granular control over how their data was used for personalized advertising, limiting their ability to make informed choices about their privacy. he hefty €746 million fine sent shockwaves through the tech world, highlighting the potential consequences of non-compliance with GDPR.

In January 2023, Meta Platforms Ireland Limited faced a landmark €1.2 billion fine from the Irish Data Protection Commission (DPC) for the way it transferred EU data to the US. This record-breaking penalty, which is the largest GDPR fine ever issued, stemmed from alleged violations of transparency principles related to personalized advertising and data use across both platforms. The DPC investigation revolved around Facebook and Instagram's practices of transferring user data from the EU to the United States for advertising purposes. The agency found that hat Meta's reliance on "standard contractual clauses" to justify data transfers was insufficient under GDPR due to concerns about US surveillance laws potentially overriding user privacy protections. It argued users supposedly weren't informed clearly and comprehensively about the potential risks and implications of their data being transferred to the US for advertising purposes, and the DPC. Users supposedly weren't informed clearly and comprehensively about the potential risks and implications of their data being transferred to the US for advertising purposes.

While Meta is still appealing the fine, the DPC's decision sets a significant precedent. It strengthens enforcement of GDPR and holds large tech companies accountable for ensuring transparency and user privacy in the context of personalized advertising and international data transfers. Companies must have a robust legal basis for transferring user data outside the EU, ensuring adequate safeguards and protections for user privacy. At the same time, users deserve meaningful control over their data, including granular options to manage and limit its use for specific purposes like personalized advertising, even after transfers outside the EU.