The enforcement of the General Data Protection Regulation (GDPR) by the European Union on major tech companies has been a subject of ongoing discussion. Here, we present a list of the top 10 GDPR fines imposed on Big Tech since the regulation came into effect in May 2018.
At the top of the list is Meta, the parent company of Facebook, Instagram, and WhatsApp. They received the largest single fine to date (€1.2 billion or approximately $1.31 billion) and account for the majority of the largest penalties, with six or more fines issued depending on the platform.
It is important to note that this list focuses solely on significant penalties imposed on tech firms under the GDPR. While substantial sanctions have also been levied on Big Tech through the older ePrivacy Directive within the EU, they are not included here.
Penalties Issued to Tech Firms Under GDPR
1. Meta (Facebook): In May 2023, the Irish Data Protection Commission (DPC) fined Meta €1.2 billion (~$1.31 billion) for violating the rules on transferring Facebook users’ personal data outside the EU.
2. Amazon: Luxembourg’s CNPD fined Amazon €746 million (~$815 million) in July 2021 for using personal data for ad targeting without proper consent.
3. Meta (Instagram): In September 2021, Ireland’s DPC fined Meta €405 million (~$443 million) for mishandling minors’ data.
4. Meta (Instagram and Facebook): In January 2023, Ireland’s DPC fined Meta a total of €390 million (~$426 million) for processing user data for ad targeting without a valid legal basis.
5. ByteDance (TikTok): Ireland’s DPC fined ByteDance €345 million (~$377 million) in September 2023 for mishandling minors’ data.
6. Meta (Facebook and Instagram): In November 2022, Ireland’s DPC fined Meta €265 million (~$290 million) for data protection breaches related to default features that exposed user data.
7. Meta (WhatsApp): In September 2021, Ireland’s DPC fined Meta €225 million (~$246 million) for GDPR transparency violations and unclear data processing practices.
8. Alphabet/Google (Android): France’s CNIL fined Google €50 million (~$55 million) in January 2019 for transparency and consent issues on its Android platform.
9. Meta (Facebook): In March 2022, the Irish DPC fined Meta €17 million (~$18.5 million) for security breaches affecting millions of users.
10. ByteDance (TikTok): The U.K.’s ICO fined ByteDance around €14.8 million (~$16 million) in April 2023 for minor protection violations, even though the U.K. is no longer in the EU, its data protection laws are aligned with GDPR.
Not Strictly Big Tech but Worth a Mention
Adtech giant Criteo was initially fined €60 million (~$65 million) by France’s CNIL in August 2022, later reduced to €40 million (~$44 million) after representations, for GDPR breaches related to lack of user consent in ad targeting.
Additionally, U.S.-based AI startup Clearview AI faced multiple fines in 2022 from authorities in Italy, Greece, and France for unlawful data processing totaling €20 million (around $22 million). The startup’s activities, which involve scraping internet selfies for facial recognition, also led to a smaller GDPR fine from the U.K.’s ICO.
