As of December 2022, the biggest GDPR fines so far are the following ones:
1. Amazon — €746 million
The fine was announced in 2021 and was related to Cookie Consent. The website was tempting to force users to “agree” to cookies by default, and to make opting out of cookies was difficult. Thus, Amazon was collecting as much personal data as possible, which was not necessary.
2. Instagram (Meta) — €405 million
In September 2022, Instagram owner Meta was fined €405 million, because teenagers could create Instagram accounts that publicly displayed their personal data like phone numbers and email addresses.
3. Facebook (Meta) — €265 million
The Irish Data Protection Commission (DPC) fined Facebook owner Meta a €265 million fine on 28 November 2022, for breaching GDPR rules. The decision is based on the infringement of Articles 25(1) and 25(2) of GDPR. These articles deal with data protection by design and default.
4. WhatsApp (Meta) — €225 million
WhatsApp messaging service had failed to properly explain its data processing practices in its privacy notice. Also, the privacy information was not easily accessible.
5. Google Ireland — €90 million
The fine hit Google Ireland on January 6, 2022, for the inappropriate Cookie Consent implementation procedures on YouTube. It was easy to accept cookies on YouTube, but harder to refuse them. Refusing cookies required a user to make several clicks, whereas accepting cookies required just one click.
6. Facebook — €60 million
The fine hit Facebook also on January 6, 2022, for failing to obtain proper Cookie Consent from its users. Like with Google, accepting cookies on Facebook was very easy — just one click “accept”, while refusing them was more complicated.
7. Google LLC — €60 million
As for Google Ireland and Facebook (see above), Google LLC was hit with this €60 million fine also on January 6, 2022, for precisely the same reason— Cookie Consent violation. It was very easy to accept cookies but more difficult to refuse them. In this case, the fine was related to Google search website rather than YouTube.
8. Google – €50 million
Google’s fine was charged in 2019 and finalized after an unsuccessful appeal in March 2020. The case was related to how Google informed its users about privacy and how Google requested users' consent for personalized advertising and other types of data processing.
9. H&M — €35 million
The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M around €35 million on October 5, 2020. The GDPR violations were related to the “monitoring of several hundred employees.” After employees took a vacation or sick leave, they had to attend a return-to-work meeting. Some of such meetings were recorded and were available to over 50 H&M managers, who could gain a broad knowledge of their employees’ private lives, including family issues, health status, and religious beliefs. This private information was used to help evaluate employees’ performance and make decisions about their employment.
10. TIM – €27.8 million
On January 15, 2020, Italian telecommunications operator TIM (Telecom Italia) was charged with a €27.8 million GDPR fine from the Italian Data Protection Authority Garante for a series of GDPR infringements and violations that have accumulated over the last several years. Most of the violations were related to an excessively aggressive marketing strategy: millions of persons received many promotional calls and unsolicited communications without the mobile phone users' consent.
11. British Airways – €22 million
In October 2020, the UK's independent authority ICO charged British Airways with a €22 million fine for a personal data security breach that took place in 2018. Previously the fine was intended to be $238 million, but later it was diminished. In 2018, the hackers attacked the British Airway’s system and got its users' personal data, including log-in details, payment card information, and travelers’ names and addresses. The breach affected 400 000 British Airways customers.
ICO concluded that British Airways didn’t have sufficient security measures in place to protect their systems. For example, British Airways didn’t even have basic security measures like multi-factor authentication in place at the time of the breach.
12. Marriott – €20.4 million
In October 2020, the UK's independent authority ICO charged Marriott with a €20.4 million fine for its customers' personal data exposure publicly. 383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was attacked by hackers. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed. The hack originated in Starwood Group’s reservation system in 2014. Marriott acquired Starwood in 2016, but the hack was detected only in September 2018.
Initially, the ICO intended to charge the $123 million fine, but later it became significantly lower.