As our lives continue to move online, with everything from our medical records to our credit reports existing in digital form, it's dramatically changed our relationship with privacy and posed new challenges to laws around the world designed to protect us.
You can safeguard your data with steps like strong passwords and being vigilant for phishing attempts, but only governments can enforce privacy laws and punish those breaking them. Over the past decade the European Union has conducted a sweeping overhaul of its privacy laws to ensure its regulations were cut out to deal with demands of life online. Its biggest push came in May 2018, when the EU's General Data Protection Regulation, or, came into effect.
The GDPR gives European internet users some of the strongest privacy protections in the world. It prevents organizations from collecting personal data when it's not necessary or when they don't obtain explicit consent. And once they have someone's data, they can't use it for anything other than the original purpose for which they collected it. If there are security breaches, or if that data is held longer than necessary, companies can get in big trouble.
The stakes for not complying are high. Regulators in any of the 27 EU countries can investigate complaints, and they're empowered to hand out huge fines (a maximum of 20 million euros or 4% of a company's global revenue, whichever is higher) for violators. On top of this, victims of any data misuse are entitled to seek compensation. When fines are handed out, companies usually appeal them, leaving the final decisions to be hammered out in the courts.
All Big Tech companies have pledged to comply with Europe's privacy rules, but that doesn't mean they always get it right. So far, Google, Meta (Facebook's parent company) and Twitter all have been fined, and they're also the focus of many ongoing investigations. And it's not just Big Tech companies that are subject to GDPR – it applies to all companies that conduct business online in Europe, from retailers to airlines.
These are the biggest penalties to be handed out so far.
Top Five Biggest GDPR Fines
1. Amazon — 746 million euros ($847 million)
The biggest GDPR fine in the regulation's short history was a penalty handed out to Amazon. , Luxembourg's data protection authority told Amazon it would have to pay a penalty of 746 million euros, following an investigation into the way the company processes customer data.
An Amazon spokesperson said the company strongly disagreed with the decision. An appeal is underway.
2. WhatsApp — 225 million euros ($255 million)
In , the Irish Data Protection Commissioner concluded an almost three-year investigation into WhatsApp by slapping parent company Facebook (now Meta) with the second-largest GDPR fine to date. WhatsApp had failed to fully communicate to European users how it used their data, said the commission. Specifically at issue was how WhatsApp shared data with Facebook.
A spokesperson for the messaging platform said the company disagreed with the decision and would appeal.
3. Google — 50 million euros ($56.6 million)
One of the earliest landmark GDPR fines saw Google penalized by the French regulator for not disclosing to users how their data was being collected and used for targeted advertising. As with the WhatsApp fine, this is an example of how GDPR demands companies be transparent with users and inform them of everything that happens to their data.
Google appealed, but the fine was upheld by the French court.
4. H&M — 35 million euros ($41 million)
Retailer H&M received a fine in Germany in 2020 for its problematic monitoring of employees. The company recorded mandatory back-to-work meetings that workers attended after taking leave, and made the recordings available to managers across the organization without the employees' consent.
The videos contained private details (including medical information) about workers' personal lives, which the company then used to create personal profiles for making decisions about ongoing employment.
5. TIM — 27.8 million euros ($31.5 million)
In January 2020, the Italian privacy regulator issued the Italian telecommunications company a hefty fine for a long list of offenses. Officials discovered the data collection and processing violations after they found the company made regular nuisance calls to noncustomers, many of whom were registered on Italy's do-not-call list. One person was reportedly called 155 times by TIM in a one-month period.