The 10 Biggest GDPR Fines Of All Time

Today it was announced that Meta was fined a staggering €1.2 billion after breaching the EU General Data Protection Regulation (GDPR). The fine is more than a quarter of a million euros higher than the previous biggest fine for GDPR violation, €746m, received by Amazon in 2021.

The team at Hicomply looked at the 10 biggest fines imposed since GDPR came into force on 25 May 2018 and found that Meta properties in this list alone racked up fines of €2.5 billion.

The top 10 biggest fines were:

1. €1.2bn Meta

In May 2023, Meta received a hefty €1.2bn fine for mishandling data when transferring information between Europe and the United States.

2. €746m Amazon Europe Core S.à r.l.

Amazon received a €746m fine from the Luxembourg National Commission for Data Protection (CNPD) in 2021. The CNPD issued the fine after concluding that Amazon’s practices “did not comply with the EU General Data Protection Regulation.”

3. €405m Meta Ireland (Instagram)

Meta subsidiary Instagram was fined €405m after the European Data Protection Board upheld the Data Protection Commission’s finding that the company had mishandled teenage users’ data.

4. €390m Meta Ireland (Facebook and Instagram)

Meta Ireland again came under fire and received the combined €390m fine after complaints were made about its updated terms of service when GDPR came into effect on 25 May 2018.

5. €265m Meta Ireland (Facebook)

In November 2022, Meta Ireland received the €265m fine from the DPC after Facebook’s compliance with GDPR data protection by design and default principles were called into question.

6. €225m WhatsApp Ireland

WhatsApp Ireland was fined €225m in 2021 after an investigation into the company’s provision of information and the transparency of that information to both users and non-users of WhatsApp’s service.

7. €90m Google

Google was fined €90m in 2021 after its cookie policy was found to be in contravention of Article 82 of GDPR.

8. €60m Facebook Ireland

Facebook Ireland was levied a fine for the violation of Article 82 of GDPR, paying out €60m.

9. €60m Google Ireland

Google Ireland was fined €60m for contravention of Article 82 of GDPR.

10. €50m Google

Google was fined €50m in 2019 after CNIL’s Restricted Committee found that the company violated the obligations of transparency and information.

Ed Bartlett, CEO at Hicomply, said: “Compliant customer data management for businesses is now critical and expensive if you get it wrong, as evidenced by the recent Meta EU fine. Big tech is always in the firing line, as these companies take huge amounts of value from customers’ data. But it’s just not big tech we need to watch.

“Most businesses use in excess of 20 separate cloud hosted platforms. Each one of those should be following GDPR rules, requiring consent before using personal data even when transferred outside the UK or EU. However, the US has weaker privacy laws wherein US intelligence services can also access your data. We’ve seen Canadian firms buying UK-hosted solutions over US-based vendors for this very reason.

“UK firms should always check where their business data is hosted, as you could be inadvertently breaching GDPR with your customers’ data.”