Major GDPR Fines: 2018-2023

admin avatar

1. Google LLC: €50 Million (January 2019)

The French data protection authority, CNIL, imposed a fine of €50 million on Google for failing to provide transparent and easily accessible information to users about its data consent policies and not having a valid legal basis for processing personal data for advertising purposes.

2. H&M Hennes & Mauritz Online Shop: €35.3 Million (October 2020)

The German data protection authority levied a fine of €35.3 million against the retail giant H&M for the unlawful monitoring of several hundred employees at its service center in Nuremberg, which violated employees’ right to privacy.

3. WhatsApp Ireland Ltd.: €225 Million (September 2021)

WhatsApp was fined €225 million by the Irish Data Protection Commission after failing to meet GDPR requirements for transparency regarding the sharing of data with other Facebook companies.

4. Amazon Europe Core: €746 Million (July 2021)

In the largest GDPR fine to date, Amazon was penalized by the Luxembourg National Commission for Data Protection. The fine was for non-compliance with general data processing principles, including lawful processing of personal data transferred to other countries.

5. Meta Platforms Ireland Limited (formerly Facebook): €265 Million (November 2022)

The Irish DPC fined Meta Platforms due to a data leak where personal data of up to 533 million users was published online. The leak and inadequate technical and organizational measures to protect the data led to the hefty fine.

Trends and Insights

  • Increased Enforcement Across Europe: Initially, GDPR enforcement started slowly, but recent years have seen a significant increase in the number and size of fines, indicating a ramping up of regulatory activities across Europe.
  • Focus on Big Tech: Many of the highest fines under GDPR have targeted major technology companies, reflecting concerns over how personal data is processed at scale, particularly for advertising.
  • Variation Among EU Countries: There is considerable variation in how different EU countries apply GDPR, with some data protection authorities (DPAs) being more proactive and stringent than others.