UK GDPR and EU GDPR have introduced some stiff penalties for poor data protection practices. Prior to the introduction of these regulations, data protection fines didn’t really reflect the severity of poor compliance. For example, in the UK the Data Protection Act which provided far weaker rules on how data must be protected than the GDPR, only allowed for fines of up to £500,000. Facebook’s role in the Cambridge Analytica scandal saw them issued with this maximum fine in 2018, many data privacy law experts agree that if this case were to happen again today Facebook would be on the line for a much bigger fine under GDPR.
Today, violations of UK GDPR can lead to a fine of up to £17.5 million or 4% of the organisation’s worldwide annual turnover, whichever is higher.
For EU GDPR this can mean a fine of up to 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year.
So with such eye watering fines on the table, you might be wondering what the biggest fines so far have been?
Well, we have you covered. Here’s our list of the top GDPR fines so far. We’ll detail the fine, an overview of the case and where they went wrong. It’s worth noting that many of the fines below are still going through an appeals process and so may be subject to change. This is because many of the largest fines are from 2021. GDPR fines in 2021 are 613% higher than 2020.
1. Amazon €746 million (£631 million)
The biggest GDPR fine so far. Amazon first disclosed this fine in their 2021 July earnings report. The fine was levied by the Luxembourg DPA.
Full information on the fine is not yet available and Amazon is currently in the process of appealing the fine. However there are some indications that suggest that the fine is to do with cookie consent processes.
2. WhatsApp €225 million (£190 million)
WhatsApp was fined a record €225 million by the Irish data regulator, the Data Protection Commission (DPC), on August 20, 2021, for a number of cross-border data protection violations. The fine followed a lengthy investigation and enforcement process that began in 2018 and saw the DPC’s proposed verdict and punishment rejected by its European counterparts, resulting in a referral to the European Data Protection Board.
3. Google – €150 million (£125.8 million)
Google was fined €50 million by France’s data protection agency, the CNIL for loading tracking cookies without consent.
The regulator carried out investigations of the websites reported to them and found tracking cookies were automatically loaded onto the users device when the user visited Google domains, which is in breach of the country’s Data Protection laws.
Under local French (and European) law, site users should have been clearly informed before the cookies were loaded and asked for their consent. Loading non-essential cookies by default is not permitted.
Google has since updated their cookie consent mechanism process, which you can test yourself by visiting Google in incognito mode on your browser.
4. Facebook €60 million (£50.3 million)
On the 6th of January 2022, CNIL (France’s data protection agency) announced that Facebook (a subsidiary of Meta which also owns WhatsApp) would receive a fine under GDPR.
The penalty was issued because of Facebook failing to gain proper GDPR level consent for their use of cookies and tracking technologies.
The CNIL note that Facebook’s cookie consent mechanism appeared initially to have no option other than “Accept Cookies”. In other words Facebook did not give a clear option to reject all cookies and display this in equal weighting to the “Accept Cookies” option.
The total fine was 60 million euros. Facebook was also ordered to comply within three months.
5. H&M €35 million (£29.6 million)
The regulators discovered that segments of the workforce have been subjected to excessive recording of details about their personal life since at least 2014.
The data collected was stored on network drives that could be accessed by other managers.
Some of the data was collected when team leaders would hold so-called “Welcome Back Talks” with their employees after absences such as holidays and sick leave.
They would document specifics of those chats, such as holiday experiences, disease symptoms, and diagnosis.
These chats, which ranged from minor details about the employee to family concerns and religious convictions, were occasionally captured on H&Ms internal systems.
Up to 50 other managers in the organisation had access to some of this information.
Dr. Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information said when announcing the case:
“This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees. Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”
6. TIM – €27.8 million (£23.5 million)
On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali) announced a fine of €27,802,946 on TIM S.p.
TIM S.P. is a telecommunications company in Italy. They provide internet, telephone and cable tv services to customers across Italy.
The GDPR fine received relates to several unlawful marketing data processing practices.
Between 2017 and 2019, the investigating authority: Garante, received numerous complaints from individuals claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list, from TIM S.P.
The Garante investigated and found numerous data protection law infringements.
Their report draws attention to the fact that TIM failed to: appropriately manage the call centers that they hired to make marketing calls to existing and prospective customers and keep a suppression list of customers that had opted out of marketing up to date. They also found that they were making consent to marketing communications a condition of being able to participate in sweepstakes and to receive discounts.
Furthermore, TIM’s data breach management and data processing system management were also considered insufficient.