GDPR Fines: The Biggest Privacy Penalties Handed Out So Far

Since the introduction of Europe's landmark online privacy law in 2018, companies have faced some hefty sanctions -- especially Facebook parent company Meta.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
4 min read

Europe's privacy law means big fines for Big Tech.

Andrii Yalanskyi/CNET

As our lives continue to move online, with everything from our medical records to our credit reports existing in digital form, it's dramatically changed our relationship with privacy  and posed new challenges to laws around the world designed to protect us.  

You can safeguard your data with steps like strong passwords and being vigilant for phishing attempts, but only governments can enforce privacy laws and punish those breaking them. Over the past decade the European Union has conducted a sweeping overhaul of its privacy laws to ensure its regulations were cut out to deal with demands of life online. Its biggest push came in May 2018, when the EU's General Data Protection Regulation, or GDPR, came into effect.

The GDPR gives European internet users some of the strongest privacy protections in the world. It prevents organizations from collecting personal data when it's not necessary or when they don't obtain explicit consent. And once they have someone's data, they can't use it for anything other than the original purpose for which they collected it. If there are security breaches, or if that data is held longer than necessary, companies can get in big trouble.

The stakes for not complying are high. Regulators in any of the 27 EU countries can investigate complaints, and they're empowered to hand out huge fines (a maximum of 20 million euros or 4% of a company's global revenue, whichever is higher) for violators. On top of this, victims of any data misuse are entitled to seek compensation. When fines are handed out, companies usually appeal them, leaving the final decisions to be hammered out in the courts.

All Big Tech companies have pledged to comply with Europe's privacy rules, but that doesn't mean they always get it right. So far, Google , Meta ( Facebook's parent company) and Twitter all have been fined, and they're also the focus of many ongoing investigations. Meta, in particular, has been hammered by the law, accruing over 1.3 billion euros ($1.37 billion) in fines so far. And it's not just Big Tech companies that are subject to GDPR – it applies to all companies that conduct business online in Europe, from retailers to airlines.

These are the biggest penalties to be handed out so far.

Top eight biggest GDPR fines

1. Amazon — 746 million euros ($785 million)
The biggest GDPR fine in the regulation's short history was a penalty handed out to Amazon. In July 2021, Luxembourg's data protection authority told  Amazon   it would have to pay a penalty of 746 million euros, following an investigation into the way the company processes customer data.

An Amazon spokesperson said the company strongly disagreed with the decision. An appeal is underway.

2. Meta (Instagram) — 405 million euros ($426 million)
In September 2022, Meta was fined almost half a billion euros for failing to protect children's privacy on Instagram. The company was found to be in breach of GDPR by setting the accounts of children to public by default, and allowing children to switch to business accounts, exposing their personal email addresses and phone numbers.

Meta responded by saying it had changed these policies more than a year before the fine was issued, and it confirmed the company would appeal.

3. Meta — 390 million euros ($410 million)
Less than a week into 2023, Meta was hit with a 390 million euro fine from the Irish Data Commissioner for serving Facebook and Instagram users personalized ads without explicit consent.

Meta said it was disappointed in the decision because it believes its current consent model complies with GDPR. It intends to appeal both the fine and the substance of the ruling.

4. Meta — 265 million euros ($279 million)
In November 2022, Meta was issued a fine due to GDPR violations. This one came as a result of a data breach, which led to a collated dataset of people's personal Facebook data being made available on the internet.

Meta said it would review the Irish DPC's decision in this case, but the company didn't immediately express any intention to appeal.

5. Meta (WhatsApp) — 225 million euros ($237 million)
In September 2021, the Irish Data Protection Commissioner concluded an almost three-year investigation into WhatsApp by slapping parent company Facebook (now Meta) with the second-largest GDPR fine to date.  WhatsApp  had failed to fully communicate to European users how it used their data, said the commission. Specifically at issue was how WhatsApp shared data with Facebook.

A spokesperson for the messaging platform said the company disagreed with the decision and would appeal.

6. Google — 50 million euros ($52.6 million)
One of the earliest landmark GDPR fines saw Google penalized by the French regulator in January 2019 for not disclosing to users how their data was being collected and used for targeted advertising. As with the WhatsApp fine, this is an example of how GDPR demands companies be transparent with users and inform them of everything that happens to their data.

Google appealed, but the fine was upheld by the French court.

7. H&M — 35 million euros ($36.8 million)
Retailer H&M received a fine in Germany in 2020 for its problematic monitoring of employees. The company recorded mandatory back-to-work meetings that workers attended after taking leave, and made the recordings available to managers across the organization without the employees' consent.

The videos contained private details (including medical information) about workers' personal lives, which the company then used to create personal profiles for making decisions about ongoing employment.

8. TIM — 27.8 million euros ($29.3 million)
In January 2020, the Italian privacy regulator issued the Italian telecommunications company a hefty fine for a long list of offenses. Officials discovered the data collection and processing violations after they found the company made regular nuisance calls to noncustomers, many of whom were registered on Italy's do-not-call list. One person was reportedly called 155 times by TIM in a one-month period.