The state of enforcement of the European Union’s flagship privacy regime, the General Data Protection Regulation (GDPR), on the most powerful tech giants remains a topic of ongoing debate. Below we’ve compiled a list of the 10 largest GDPR fines imposed on Big Tech since the regulation started to apply back in May 2018.
Meta, the owner of Facebook, Instagram and WhatsApp, tops the list, both for receiving the single biggest fine to date (€1.2 billion or around $1.31 billion at current exchange rates) and because it accounts for a majority of these largest penalties (six or more, depending on whether you count per platform).
Please note this list only includes major penalties issued to tech firms under the GDPR. In recent years, some significant sanctions have also been issued on Big Tech via the bloc’s older ePrivacy Directive, but you won’t find those listed here.
Penalties issued to tech firms under GDPR
1. Meta (Facebook): Fined €1.2 billion (~$1.31 billion) in May 2023 by the Irish Data Protection Commission (DPC) for violating the rules on transferring Facebook users’ personal data out of the European Union.
2. Amazon: Fined €746 million (~$815 million) in July 2021 by Luxembourg’s National Commission for Data Protection (CNPD) following complaints that its use of personal data for ad targeting was not based on consent.
3. Meta (Instagram): Fined €405 million (~$443 million) in September 2021 by Ireland’s DPC for failings in its handling of minors’ data.
4. Meta (Instagram and Facebook): Fined a total of €390 million (~$426 million) in January 2023 by Ireland’s DPC for failing to have a valid legal basis to process user data for ad targeting.
5. ByteDance (TikTok): Fined €345 million (~$377 million) in September 2023 by Ireland’s DPC for failings in its handling of minors’ data.
6. Meta (Facebook and Instagram): Fined €265 million (~$290 million) in November 2022 by Ireland’s DPC for breaches of data protection by default and design after certain platform features, including contact importer and search tools, made the personal data of hundreds of millions of users discoverable to all other users.
7. Meta (WhatsApp): Fined €225 million (~$246 million) in September 2021 by Ireland’s DPC for breaking GDPR transparency obligations and failing to make it clear to users how it processes their data.
8. Alphabet/Google (Android): Fined €50 million (~$55 million) in January 2019 by France’s National Commission on Informatics and Liberty (CNIL) for transparency and consent failings related to its Android mobile platform.
9. Meta (Facebook): Fined €17 million (~$18.5 million) in March 2022 by the Irish DPC for a string of security breaches thought to have affected up to 30 million users.
10. ByteDance (TikTok): Fined around €14.8 million at current exchange rates (~$16 million) in April 2023 by the U.K.’s Information Commissioner’s Office (ICO) in another case related to minor protection. (Note: Despite the U.K. no longer being in the EU, its data protection rules are still based on the GDPR.)
Not strictly Big Tech but worth a mention
Adtech giant Criteo was issued with a preliminary fine of €60 million (~$65 million) in August 2022 by France’s CNIL for a range of GDPR breaches. But in June 2023, the level of penalty was reduced to €40 million (~$44 million) after the adtech giant made representations. The enforcement followed complaints that Criteo did not have users’ consent for tracking and profiling them for ad targeting.
Another bonus mention: U.S.-based AI startup Clearview AI was fined the maximum possible (€20 million or around $22 million, based on its revenue) a full three times in 2022 by data protection authorities in Italy, Greece and France. The sanctions were for unlawful data processing as a result of its tactic of scraping selfies off the internet to train a facial-recognition ID-matching AI tool. In the same year, the U.K.’s ICO also hit it with a smaller sanction for GDPR breaches, so the controversial startup’s activities have drawn a lot of enforcement.
