The General Data Protection Regulation (GDPR) is one of the biggest developments in data laws ever. Since it became effective on May 25, 2018, it has given people more power over their personal data. The law has had a massive impact on the way organizations collect, store and handle data. Other than its robust framework and wide applicability, the GDPR is also known for its eye-watering fines for violating organizations. 

It does not differentiate between the size of the liable organizations if they have breached the law. Many big companies, such as Meta (formerly Facebook), Amazon, and Google have come under the GDPR scanner and have been sanctioned with whopping fines for violating its rules. Ever since the GDPR came into effect, many more organizations could not escape its radar. Some of them are relatively smaller organizations. In 2021, Amazon was hit with the largest GDPR fine to date. The year closed with the total sum of fines crossing €1 billion for the first time. 

In this post, we will discuss the ramifications of failing to comply with GDPR and the severity of GDPR fines. We will also list down the 13 biggest GDPR fines imposed so far.

What are the fines and penalties under GDPR?

Under the General Data Protection Regulation (GDPR) [Art. 83], there is a tiered system of fines depending on the nature and severity of the violation.

For tier 1 violations, up to 2% of annual revenue or €10 million, whichever is greater. 

For tier 2 violations, up to 4% of annual revenue or €20 million, whichever is greater. 

The tier 1 fines are applicable for violations related to:

  • Collecting personal data of children without parental consent.
  • Collecting, storing, or processing additional information of a user.
  • Following privacy by design protocols.
  • Sharing personal data with other joint organizations (controllers).
  • Usage of third-party involvement in privacy policies.
  • Records of personal information collected from the users. 
  • Notifying the supervisory authority and the users about a data breach.
  • Performing a data protection impact assessment.
  • Appointing and tasks of a data protection officer.
  • Establishing certification mechanisms.

The tier 2 fines are applicable for violations related to:

  • Lawful bases of processing personal data, including conditions of consent.
  • GDPR rights of EU individuals.
  • Cross-border personal data transfer. 
  • Law adopted by the Member States.
  • Adhering to an order authorized by a GDPR superior authority.

Not all GDPR infringements will result in financial penalties. Depending on the nature of the violation, the GDPR authorities may also decide the course of action against the liable organization. These actions may include a ban on processing activities, an order to delete data and restrictions on cross-border data transfers.

These fines are set to put pressure on businesses to ensure their systems are secure and robust. They are also to encourage organizations not to take risks with the user’s personal data because it could seriously damage their reputation and affect their business.

Individuals’ right to compensation:

According to Art. 82 of GDPR, the affected individuals can claim compensation for the damage suffered from the violation. They can approach the Courts to exercise their right to compensation. The organizations are liable to pay the compensation unless they prove that they are not responsible for the violation.

What are the criteria for imposing GDPR fines?

The GDPR fines are decided on a case-by-case basis and can vary depending upon the circumstances. The GDPR is flexible in that it allows the Member States to decide the level of fine they feel is appropriate for a particular offense.

To decide whether to impose an administrative fine and the amount of the fine on each individual, the following criteria are considered:

  • The nature of the violation, the severity of the damage and the number of people affected;
  • if the violation was negligent or intentional;
  • preventive action or damage control by the organization; 
  • technical and organizational measures implemented to secure people’s data;
  • previous cases of violations by the organization;
  • the degree of cooperation with the supervisory authority to deal with the situation;
  • the type of personal data affected;
  • whether the organization notified the supervisory authority, and to what extent;
  • whether the supervisory authority has taken any action against the organization for the violation;
  • the organization follows code and conducts and other certified mechanisms; and
  • financial benefits gained by the violating organization from the violation.

The maximum fine for the gravest of violations should not exceed the upper-tier administrative fine limit. The Member States have the right to lay down rules for penalties for violations that are not listed in the GDPR, and they should take all necessary actions to ensure its implementation.

How to avoid GDPR fines and penalties?

GDPR is a regulatory framework applying to the processing of the personal data of EU citizens and residents. It is designed to give privacy rights to individuals and enforceable rights to organizations, such as privacy by design and protection by default.  Under this regulation, organizations that collect and process the personal data of EU citizens must comply with the provisions. 

You need to be GDPR compliant if you would like your company not to be fined or suffer other sanctions for violating GDPR requirements. 

The key points an organization must follow to avoid GDPR fines and penalties are:

  1. Understand the personal data you require. This is an important step to prepare the kind of protection and security you should provide depending on the sensitiveness of the data, how much you require them, how will you use it, where will you store it and for how long, where and whom you will share the data with and what happens after you utilize the data for your intended purpose.
  2. Assess the purpose and the lawful basis for collecting the personal data. You cannot collect or process personal data without one of the lawful bases: explicit consent, legal obligation, contractual obligation,  in the public interest, vital interests, or legitimate interest.
  3. Adopt and maintain Privacy by Design and by Default standards.
  4. Get valid consent from users to collect their personal data, and parental consent in case of minors (under all circumstances). Valid consent must be freely given, informed, specific, unambiguous, revocable and provable. 
  5. Do not collect data more than what is required and use it for anything else other purposes other than the intended purpose.
  6. Update privacy policy to inform users about how you will use their data and with whom the data will be shared.
  7. Allow users to exercise their rights and respond to such requests in due time.
  8. Delete or remove personal data as soon as you have fulfilled its purpose.
  9. Ensure third parties you share data with are GDPR compliant.
  10. Ensure proper data protection protocols in cross-border data transfers. The recipient country must have a data protection regime that is equivalent to GDPR.
  11. Ensure adequate data protection and security measures to protect against data breaches and other threats. You must notify affected parties within 72 hours of becoming aware in case of a data breach. The breach notification must include all details about the type of personal data affected, the risks involved, the likely consequences and the remedial measures you have taken and the measures that affected individuals can take to avoid further damage or risks.
  12. Document the data processing procedures for further assessment and improvement.
  13. Train your team or employees about GDPR and its requirements.
  14. Appoint a data protection officer (DPO) if your organization processes sensitive personal data or a large volume of personal data.

GDPR fines and penalties can be pretty demanding. The best way to avoid facing any kind of penalty is to thoroughly educate yourself about the Regulation and then execute it.

What happens when GDPR is breached?

When an organization violates GDPR, the data protection authority (DPA) of the concerned Member State issues an investigation. The investigations are either based on user complaints, self-referrals, allegations made in the press, or reports by other EU DPAs. The data protection authority sets the priority of the case and conducts an online or offline (or both) investigation. The hearings ensue and requisite documents are collected.

The DPAs assess the matter based on the criteria we’ve discussed earlier to decide whether the violation is of lower-tier or upper-tier. Some violations may not result in monetary sanctions, In such cases, the DPA sends out warning letters and a deadline for the violating organization to fix its mistake. Some cases are graver and may result in monetary penalties. The DPA along with the concerned committee decides the fine and whether to make it public or not, based on the severity of the infringement.

CNIL, the France data protection authority processes the infringement and imposes its sanctions as shown:

CNIL GDPR fines and penalties sanction process.
Source: cnil.fr

Biggest GDPR Fines to date (2018 – 2022)

A company’s GDPR violation can be brought to light by inspections conducted by the DPAs, complaints by an employee, a whistleblower, or affected customers, through the company’s self-denunciation, or by the press.

The Enforcement Tracker documents all the reported fines and penalties imposed on violating organizations or companies so far.

Here are the biggest GDPR fines (2018-2021) imposed on companies by the EU DPAs.

#1 Amazon — €746 million ($781 million)

On July 16, 2021, the Luxembourg data protection authority, CNPD hit Amazon with a massive €746 million GDPR fine, the largest to date. The CNDP conducted its investigation following accusations about Amazon’s targeted advertisements. Amazon failed to get “freely given” consent from its users to store advertisement cookies. In 2020, France’s data protection authority, CNIL fined Amazon €35 million for the same reason under the ePrivacy Directive framework.

Amazon responded that it will appeal the fine as it has not breached GDPR and that no user data has been shared with third parties. 

Let us take care of cookie compliance, so you can focus on your business

Sign up on CookieYes and avoid GDPR fines.

Try it free

*no credit card required

#2 Instagram —   €405 million ($427 million)

In September 2022, the Irish Data Protection Commission (DPC) fined Instagram €405 million for breaching GDPR in relation to the handling of children’s data. The investigation focused on two issues: the use of “business accounts” by teenage users, which resulted in the publication of their email addresses and phone numbers, and the default setting of all accounts, including those of teenage users, to “public”. The GDPR requires privacy by design and default, and the DPC’s guidance emphasizes the importance of applying strict privacy settings by default to protect children. The fine is the largest ever imposed by the DPC.

#3 Facebook —  €265 million ($275 million)

In 2022, Irish regulators fined Facebook’s parent company, Meta €265 million for violating GDPR, which mandates that organizations put in place technical and organizational measures to protect user data. The company had been investigated after data on more than 533 million users was discovered on a website for hackers, including users’ names, Facebook IDs, phone numbers, locations, birthdates, and email addresses from over 100 countries. 

Meta claimed that the data was scraped from Facebook using tools designed to help users find their friends via phone numbers. The investigation looked into scraping conducted between May 2018 and September 2019. Meta has said it cooperated fully with the Irish watchdog.

#4 WhatsApp — €225 million ($247 million) 

Meta’s WhatsApp has been in limelight for some time now, unfortunately, for the wrong reasons. Its last privacy policy update has attracted criticism from many countries for being vague about user data sharing with third parties. 

On September 2, 2021, the Irish DPA announced that it has fined the messaging service the second largest GDPR fine of €225 million for not meeting the GDPR requirements in its privacy policies. The investigation revealed that WhatsApp failed to properly explain its data processing activities and provide specific information about its legal basis and purpose for processing personal data in a concise and transparent form in its privacy notice. 

Read in detail why WhatsApp came under fire for its updated privacy policy and how to avoid them here

Creating privacy policy is now easy!

Generate GDPR-compliant privacy policy for your website for free with CookieYes.

CREATE YOUR FREE PRIVACY POLICY

#5 Google —  €150 million ($165 million)

On December 31, 2021, the French Data Protection Authority, CNIL, fined Google a total of €150 million for making it difficult for users of google.fr and youtube.com to refuse or accept cookies. In June 2021, the CNIL investigated the sites and found that the refusal mechanism was more complex than accepting cookies. The Restricted Committee judged that this discouraged users from refusing cookies and infringed on Article 82 of the French Data Protection Act. Google LLC and Google Ireland Limited were fined €90 million and €60 million, respectively. 

The CNIL also issued an injunction requiring that the companies provide a means of refusing cookies as simple as accepting them within three months to guarantee freedom of consent. The use of cookies was carried out within the establishment of Google LLC and Google Ireland Limited on French territory, making the CNIL territorially competent.

Google complied by adding a “Only allow essential cookies” button next to the accept button within the deadline. Consequently, the CNIL closed this particular case on July 13, 2023.

#6 Microsoft — €60 million ($66 million)

On December 19, 2022, CNIL imposed a €60 million fine on Microsoft Ireland Operations Limited due to non-compliance with the French Data Protection Act. The sanction was primarily because the Bing.com website did not allow users to refuse cookies as straightforwardly as accepting them. Investigations revealed that upon visiting Bing.com, cookies were automatically placed on users’ devices without consent, used notably for advertising purposes. Furthermore, refusing cookies required multiple steps compared to a single step to accept, discouraging users and impinging on their freedom of consent.

The CNIL ruled that these practices concerning consent collection and clarity of information violated Article 82 of the French Data Protection Act. Additionally, Microsoft was ordered to establish a compliant consent mechanism within three months or face a daily penalty of €60,000 for delays.

#7 Facebook —   €60 million ($66 million)

On December 31, 2021, CNIL fined Facebook Ireland Limited €60 million for violating the French Data Protection Act. The committee found that Facebook’s website does not offer an equivalent solution for users to refuse cookies as easily as they can accept them. The committee noted that the process of refusing cookies is more complex, which discourages users from doing so and affects their freedom of consent. Additionally, the information given to users was not clear, which generates confusion and gives the impression that it is not possible to refuse cookies. 

The CNIL judged that the methods of collecting consent and the lack of clarity of information provided to users constitute violations of Article 82 of the French Data Protection Act. The sanctions also included a periodic penalty payment, requiring Facebook to provide users with a means of refusing cookies that is as simple as the existing means of accepting them. 

#8 Google — €50 million ($55 million)

On January 21, 2019, France’s CNIL fined the search giant €50 million (the highest at that time) for targeted advertisements without valid consent. The data regulator also found fault with the lack of transparency in informing users about data processing and concluded that the company failed to properly specify the lawful basis for data processing.

Google continues to find trouble with the French DPA. On January 6, 2022, CNIL imposed Google €150 million for breaching French laws, along with Facebook (€60 million). They were fined under the ePrivacy Directive. The penalty came after the tech giants were found to be using misleading cookie consent dark patterns. The CNIL said that the tech giants’ websites (facebook.com, google.fr and youtube.com) failed to make rejecting non-essential cookies as easy it is to accept them. 

The CNIL closed this case on July 13, 2023, following Google’s compliance.

#9 H&M — €35 million ($41 million)

On October 1, 2020, the DPA of Hamburg, Germany sanctioned H&M €35 million for violating the data privacy rights of its employees.

The Swedish clothing company recorded and stored details about their private lives through one-on-one conversations with employees. The details were accessible to multiple managers and were used for profiling for employment-related decision-making. 

#10 TIM —  €27.8 million ($31.5 million)

On February 1, 2020, the Italian telecom company was struck with a €27.8 million fine by the Italy DPA for violating GDPR requirements for its marketing activities. 

Read how to comply with Italy DPA’s cookie guidelines.

The DPA, Garante started investigating following the complaints from users about unwanted marketing calls, despite obtaining consent or opting out.  The Garante found that TIM violated several clauses of the GDPR by mismanaging call centers hired to make marketing calls, failing to update the list of users who had opted out of marketing communications, and allowing discounts and participation in sweepstakes only on condition of consent to marketing communications.

In addition to the fine, the Garante also penalized TIM with several corrective measures including objecting to the use of data collected via their apps.

#11 Enel Energia —   €26.5 million ($29.3 million)

Enel Energia has been fined over €26.5 million by the Italian data protection authority, the Garante Privacy, for unlawfully processing customers’ personal data for telemarketing purposes without their consent. The company must also take measures to comply with national and European data protection regulations, in addition to paying the fine. The investigation followed hundreds of complaints from customers who received unwanted promotional calls on behalf of Enel Energia. The company was found to have engaged in intense and increasingly invasive telemarketing activities, in addition to failing to respond in a timely manner to requests for access to personal data or opposition to data processing for marketing purposes. 

The Garante Privacy ordered Enel Energia to adapt all data processing activities carried out by its sales network to appropriate methods and measures. The company must also provide feedback to interested parties on the exercise of their rights, particularly the right to object to promotional activities, within 30 days of receiving a request. 

#12 British Airways  —  €22 million

The UK’s data protection authority ICO found out that the personal data of more than 400,00 British Airways customers and staff were breached in 2018. The BA’s website was diverted to a fraudulent website that stole the details such as names, addresses, CVV numbers, banking and booking details, employee usernames, and passwords.

Despite reporting the incident to the ICO, the BA was fined due to inadequate security measures that led to the cyber attack. They were initially fined €183 million in 2019 which was reduced to €22 million in 2020 considering the economic impact of COVID-19. The reduction in the fine amount was also due to BA’s active cooperation with the ICO and the adequate measures it took to mitigate the damages suffered due to the breach.

#13 Marriott International — €20.4 million

In 2014, Starwood Hotel (acquired by Marriot in 2016) was cyber-attacked exposing over 330 million guest records like names, payments, passport numbers, etc. 

The ICO’s investigation revealed that Marriot discovered the hack was detected only in 2018 and they failed to notify about it within 72 hours. They failed to take enough measures to ensure safety when they bought Starwood.

The hospitality company was struck with a fine of €20.4 million.

Frequently asked questions

What are the maximum fines for a GDPR breach?

The maximum fine for violating GDPR is 20 million euros or 4% of the annual global turnover of the organization, whichever is greater. This level of fine is imposed for infringements that cause serious harm to the affected individual’s rights and freedom by violations caused by reasons stated for the upper tier.

What fines can be imposed under GDPR?

Under the GDPR, there are two levels of fines depending on the nature and severity of the infringements:

  • Up to 2% of annual revenue or €10 million, whichever is greater. 
  • Up to 4% of annual revenue or €20 million, whichever is greater. 

Can individuals be fined for GDPR breaches?

An individual acting in the capacity of personal or household purpose will not be fined. However, if the individual is acting as a business entity or they violate adopted laws under the Member State, they will be fined. 

Read more about it here.

Where do GDPR fines go?

The EU Member States are allowed to write GDPR into their national laws. Therefore, the GDPR fines are most likely to go to the respective local government or regulators and are used for public funding.

In the case of UK GDPR, the country’s data protection watchdog ICO does not keep the fines with them. It goes to the central government. 

How do I report GDPR violations?

If you think an organization has violated your data protection rights under GDPR, you can officially lodge a complaint and claim compensations. There are two ways to go about it:

  • Lodge a complaint against the violating organization with your national DPA.
  • File a legal case against them in court (you can do it in addition to filing the complaint with the DPA).

The DPA is liable to investigate and update you about its progress or result within 3 months.

In case your national DPA mishandles the case by not informing about the progress or outcome of the case or you are unsatisfied with the outcome with its response to your complaint; you can take legal action against the DPA in court.

Is breach of GDPR a criminal offense?

GDPR violation is treated as a criminal offense based on the Member State law. Some violations may be charged as criminal offenses such as failing to register as a data controller.

E.g., France’s CNIL treats “collecting personal data by fraudulent, unfair or unlawful means” as a criminal offense. One of the criminal offenses in German law is “unlawful transfer / making accessible of non-publicly accessible personal data of a large number of individuals for commercial purposes”.

Hey,
are you an agency?

Deploy cookie banners on multiple client websites with our agency platform.

Partner with CookieYes

Up to 50% off on licenses