Enforcement of the General Data Protection Regulation (GDPR) on tech giants has been a contentious issue since its implementation in May 2018. The largest fines imposed on Big Tech under the GDPR have raised questions about the effectiveness of the regulation and the ability to hold powerful companies accountable for data privacy violations. Below, we have compiled a list of the ten largest GDPR fines issued to tech firms, shedding light on the penalties imposed on some of the biggest players in the industry.
1. Meta (Facebook): The owner of Facebook, Instagram, and WhatsApp holds the record for the largest fine to date, amounting to €1.2 billion (approximately $1.31 billion). The Irish Data Protection Commission (DPC) imposed this fine in May 2023 for Meta’s violation of rules regarding the transfer of Facebook users’ personal data out of the European Union.
2. Amazon: In July 2021, Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon €746 million (around $815 million). The fine was a result of complaints stating that Amazon’s use of personal data for targeted advertising did not have proper consent.
3. Meta (Instagram): In September 2021, Ireland’s DPC fined Meta (Instagram) €405 million (approximately $443 million) for its mishandling of minors’ data. This penalty highlights the significance of protecting the personal information of vulnerable users.
4. Meta (Instagram and Facebook): Ireland’s DPC imposed a total fine of €390 million (about $426 million) on Meta (Instagram and Facebook) in January 2023. The fine was for Meta’s failure to have a valid legal basis for processing user data for ad targeting.
5. ByteDance (TikTok): Ireland’s DPC fined ByteDance, the parent company of TikTok, €345 million (around $377 million) in September 2023. The penalty was a result of ByteDance’s failure to handle minors’ data appropriately.
6. Meta (Facebook and Instagram): In November 2022, Ireland’s DPC fined Meta (Facebook and Instagram) €265 million (approximately $290 million). The fine was issued due to data protection breaches resulting from certain platform features that made the personal data of hundreds of millions of users accessible to all other users.
7. Meta (WhatsApp): In September 2021, Ireland’s DPC fined Meta (WhatsApp) €225 million (around $246 million) for violating GDPR transparency obligations. The company failed to inform users clearly about how their data was being processed.
8. Alphabet/Google (Android): France’s CNIL fined Alphabet/Google €50 million (approximately $55 million) in January 2019 for transparency and consent failings related to its Android mobile platform. This penalty highlights the importance of clear consent mechanisms and transparent data practices.
9. Meta (Facebook): In March 2022, the Irish DPC fined Meta (Facebook) €17 million (about $18.5 million) for a series of security breaches affecting up to 30 million users. This case emphasizes the need for robust security measures to protect user data.
10. ByteDance (TikTok): The U.K.’s Information Commissioner’s Office (ICO) imposed a fine of around €14.8 million (approximately $16 million) on ByteDance (TikTok) in April 2023. This penalty, despite the U.K. no longer being in the EU, was based on the GDPR rules and focused on the protection of minors.
It is worth mentioning that adtech giant Criteo received a preliminary fine of €60 million (about $65 million) in August 2022 from France’s CNIL for various GDPR breaches. However, this penalty was later reduced to €40 million (around $44 million) after representations were made by the company. The enforcement action against Criteo highlighted concerns regarding user consent for tracking and profiling.
Another notable mention is Clearview AI, a U.S.-based AI startup that faced significant penalties in 2022. Italian, Greek, and French data protection authorities fined Clearview AI the maximum possible amount of €20 million (approximately $22 million) multiple times. These sanctions were a result of the company’s unlawful data processing, as it scraped selfies from the internet to train a facial recognition AI tool. The startup also faced a smaller sanction from the U.K.’s ICO for GDPR breaches. Clearview AI’s activities have drawn widespread attention and enforcement actions due to the ethical concerns surrounding their data practices.
Overall, the list of the largest GDPR fines on Big Tech demonstrates the importance of data protection and privacy in the digital age. These penalties serve as a reminder that tech giants must prioritize user privacy and comply with regulations to avoid substantial financial consequences. The enforcement of the GDPR continues to evolve, and it remains to be seen how future fines will influence the behavior of these companies and shape data privacy practices.