GDPR enforcement has escalated dramatically since the regulation came into force in 2018. The first few years saw relatively modest penalties, but regulators have since issued fines in the hundreds of millions—and in 2023, the first billion-euro penalty.
By January 2025, cumulative GDPR fines had reached approximately €5.88 billion across over 2,000 enforcement actions. The message is clear: data protection failures carry serious financial consequences.
Here are the biggest GDPR fines issued to date, what went wrong, and what you can learn from each case.
1. Meta (Facebook) – €1.2 Billion (2023)
The largest GDPR fine ever issued.
In May 2023, Ireland’s Data Protection Commission fined Meta €1.2 billion for transferring European users’ personal data to the United States without adequate safeguards. This followed years of regulatory scrutiny after the Schrems II ruling invalidated the EU-US Privacy Shield.
The DPC found that Meta’s Standard Contractual Clauses did not provide sufficient protection against US surveillance laws. Meta was also ordered to suspend data transfers to the US within five months.
Appeal status: Under appeal. Meta has called the fine “unjustified” and is challenging the decision. Payment suspended pending outcome.
Key lesson: International data transfers require robust legal mechanisms. The EU-US Data Privacy Framework now provides a path forward, but organisations must verify their transfer arrangements comply with current requirements.
Source: EDPB announcement
2. Amazon – €746 Million (2021)
Luxembourg’s data protection authority fined Amazon for processing personal data for targeted advertising without valid consent. The fine targeted Amazon’s advertising practices rather than its retail operations.
Amazon disclosed the fine in its quarterly earnings report but provided limited details, as Luxembourg’s regulator does not publish full decision texts.
Appeal status: Appeal dismissed. In March 2025, Luxembourg’s Administrative Court upheld the fine in full. Amazon may appeal further to a higher court.
Key lesson: Advertising and tracking require clear, informed consent. “Legitimate interests” does not cover invasive ad targeting without transparency.
3. TikTok – €530 Million (2025)
Ireland’s DPC fined TikTok for transferring European users’ data to China without adequate protections. The investigation found that engineers in China routinely accessed sensitive information belonging to EEA users.
TikTok failed to carry out adequate assessments of the risks posed by Chinese laws, which could compel disclosure of data to government authorities.
Appeal status: Stay granted. In November 2025, the Irish High Court suspended the fine pending TikTok’s full appeal, allowing data transfers to China to continue in the meantime.
Key lesson: Transfer Impact Assessments are essential when sending data to countries without adequacy decisions. You must evaluate local laws that could undermine data protection.
Source: Irish DPC announcement
4. Meta (Instagram) – €405 Million (2022)
Instagram was fined for exposing children’s contact details—email addresses and phone numbers—and defaulting accounts for users aged 13-17 to public visibility.
The Irish DPC found that Instagram’s business account feature allowed children to publish contact information, and privacy settings did not adequately protect minors.
Appeal status: Under appeal. Meta is challenging the decision in the Irish High Court, arguing the fine is unconstitutional. Outcome pending.
Key lesson: Children’s data requires enhanced protection. Default settings should prioritise privacy, especially for minors.
Source: Irish DPC announcement
5. Meta – €390 Million (2023)
Meta was fined for forcing users to accept personalised advertising as a condition of using Facebook and Instagram. The company had relied on “contractual necessity” as its legal basis, claiming targeted ads were part of the service contract.
The EDPB rejected this approach, finding that users must have genuine choice about personalised advertising.
Appeal status: Under appeal by both sides. Meta is challenging the fine. Unusually, the Irish DPC is also appealing the EDPB’s direction, arguing it overreached its authority.
Key lesson: You cannot bundle consent for data processing with access to a service. Users must be able to refuse non-essential processing without losing access.
Source: Irish DPC announcement
6. TikTok – €345 Million (2023)
TikTok’s second major fine came for setting children’s accounts to public by default, making videos viewable by anyone. The platform also used “dark patterns” that pushed users toward less private options.
The Irish DPC found that TikTok failed to implement data protection by design and by default for its youngest users.
Appeal status: TikTok disputed the findings at the time. Current appeal status unclear.
Key lesson: Privacy by default is a legal requirement, not a suggestion. Services used by children face heightened scrutiny.
Source: Irish DPC announcement
7. LinkedIn – €310 Million (2024)
LinkedIn was fined for using member data for behavioural analysis and targeted advertising without valid legal basis. The Irish DPC found that LinkedIn’s reliance on legitimate interests was not justified given the invasive nature of the processing.
The decision also criticised LinkedIn’s transparency, finding that privacy notices did not adequately explain how data was used for advertising.
Appeal status: Under appeal. LinkedIn is challenging the decision in the Irish High Court, arguing the fine is “criminal in nature” and disproportionate.
Key lesson: Legitimate interests requires genuine balancing. Extensive profiling for advertising rarely passes the test.
Source: Irish DPC announcement
8. Uber – €290 Million (2024)
The Dutch Data Protection Authority fined Uber for transferring European drivers’ sensitive personal data—including medical records and criminal background checks—to the United States without adequate safeguards.
Uber had stopped using Standard Contractual Clauses after the Privacy Shield was invalidated but continued transfers without implementing alternative protections.
Appeal status: Under appeal. Uber has called the decision “flawed and unjustified” and announced it will challenge the fine. Outcome pending.
Key lesson: When a transfer mechanism is invalidated, you must implement alternatives immediately—not continue transfers while figuring it out.
Source: Dutch DPA announcement
9. WhatsApp – €225 Million (2021)
WhatsApp was fined for transparency failures—specifically, not adequately informing users about how their data was shared with other Meta companies (Facebook, Instagram).
The Irish DPC found that WhatsApp’s privacy notices were unclear about data sharing arrangements within the Meta group.
Appeal status: Under appeal. WhatsApp has taken the case to the Court of Justice of the European Union (CJEU), the EU’s highest court. Outcome pending.
Key lesson: Privacy notices must clearly explain data sharing, especially within corporate groups. Vague language about “affiliates” is not sufficient.
Source: Irish DPC announcement
10. Google – €150 Million (2022)
France’s CNIL fined Google for making it difficult to reject cookies on google.fr and youtube.com. While users could accept all cookies with one click, rejecting them required multiple steps.
The CNIL found this asymmetric design violated the requirement for freely given consent.
Appeal status: Paid. Google paid the fine and subsequently received additional CNIL penalties in 2025 (€325 million) for continued cookie violations.
Key lesson: Rejecting cookies must be as easy as accepting them. Dark patterns in consent interfaces attract regulatory attention.
Source: CNIL announcement
Common Themes Across Major Fines
Looking at the biggest GDPR fines, several patterns emerge:
International data transfers – Four of the top ten fines relate to transferring data outside the EEA without adequate protections. The Schrems II ruling created ongoing compliance challenges that many organisations still haven’t resolved.
Advertising and tracking – Big Tech’s business model depends on data-driven advertising, but regulators increasingly reject “legitimate interests” as a basis for invasive tracking. Consent is required.
Children’s data – Multiple fines target inadequate protection for minors. Default settings that expose children’s information attract particularly heavy penalties.
Transparency failures – Users must understand what happens to their data. Complex privacy policies that obscure data sharing don’t meet GDPR standards.
Dark patterns – Interfaces designed to push users toward less private options violate the requirement for freely given consent.
Appeals are common – Most major fines are appealed, and outcomes can take years. Some fines are reduced or suspended pending legal challenges. The amounts listed represent announced fines, not necessarily final paid amounts.
What This Means for Your Organisation
You probably aren’t processing data at Meta’s scale. But the principles behind these fines apply to organisations of all sizes:
- Review your international transfers – If you use US-based processors, verify they’re certified under the Data Privacy Framework or you have appropriate SCCs in place
- Check your consent mechanisms – Rejecting cookies and marketing should be as easy as accepting them
- Audit your privacy notices – Do they clearly explain what you do with data, including any sharing with third parties or group companies?
- Protect children’s data – If your service is used by under-18s, default to maximum privacy protection
- Document your legal bases – For each processing activity, can you demonstrate why your chosen legal basis applies?
The gap between Big Tech fines and typical enforcement is closing. Regulators are increasingly targeting mid-sized companies and specific sectors like healthcare, finance, and telecoms.
Further Resources
- GDPR Enforcement Tracker – Searchable database of all GDPR fines
- ICO Enforcement Actions – UK-specific enforcement decisions
- ICO Enforcement in 2025 – Our analysis of UK enforcement trends
Last updated: January 2026. Appeal statuses reflect publicly available information at time of writing.
