Here’s our rundown of the five biggest fines issued under the European Union’s General Data Protection Regulation (GDPR)
GDPR was implemented in 2018 with the aim of protecting personal data and privacy in the European Union (EU) and European Economic Area (EEA).
Since its introduction, there have been a number of big fines for big tech. But with Instagram racking up the second largest fine under the regulation just weeks ago, are there still lessons to be learned?
In this article we list the five biggest GDPR fines since the regulations were introduced, take a closer look at why they were issued, and explore why some believe the regulation isn’t capable of delivering on its promises.
1: Amazon – €746m
Currently, the biggest GDPR fine by far is the €746m whopper that was imposed on Amazon by Luxembourg’s National Commission for Data Protection (CNPD) on 16 July 2021.
The fine was likely triggered thanks to a complaint filed in May 2018 by 10,000 people, through the French privacy rights group La Quadrature du Net. This complaint alleged that Amazon had utilized users’ private data to target advertisements without consent. A full statement from La Quadrature du Net can be found here.
In its company filings dated 29 July 2021, Amazon made clear its disagreement with the fine, saying: “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.” Amazon filed its appeal in October 2021 and the case is ongoing at the time of writing.
With previous fines for British Airways and for Marriott being reduced significantly, it is possible that Amazon could still shake off this somewhat unwelcome title – so watch this space.
2: Instagram – €405m
The second biggest GDPR fine on the list is the €405m fine Instagram was hit with on 28 July 2022 by the Irish Data Protection Commission (DPC) – Ireland’s supervisory authority for the GDPR.
A statement from the DPC outlined the reasons behind the fine, saying it marks the end of an inquiry into “the processing of personal data relating to child users of the Instagram social networking service.”
The DPC names US data scientist David Stier as the source of information that sparked the inquiry back in September 2020, noting the two main complaints as “the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.”
Following the referral of the case to the European Data Protection Board (EDPB) due to objections from a number of Concerned Supervisory Authorities (CSAs), a binding decision was published on 15 September 2022, imposing the €405m fine. The fine was accompanied by an order for Instagram’s owner, Meta Platforms Ireland Limited, “to bring its processing into compliance by taking a range of specified remedial actions.”
Instagram has since updated its settings and released new safety features. However, Reuters has reported that a spokesperson for the platform said: “Instagram disagrees with how the fine was calculated and is carefully reviewing the decision.”
3: WhatsApp – €225m
The third biggest GDPR fine was issued to Meta-owned messaging app WhatsApp in 2021 by the Irish DPC.
It was the result of an investigation that began on 10 December 2018 into what the DPC described in a statement as “the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service.”
Once again, the Irish DPC faced opposition from CSAs, meaning the case was referred to the EDPB, which published a binding decision on 2 September 2021.
The BBC reported a WhatsApp spokesperson saying: “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
WhatsApp launched an appeal against the ruling on 3 January 2022. At the time of writing the case is ongoing.
4 and 5: Google – €90m + €60m
Google was on the receiving end of the fourth and fifth biggest GDPR fines when the Commission Nationale de l’Informatique et des Libertés (CNIL – French Data Protection Authority) found it to be more difficult for French users to reject cookies on google.fr and youtube.com than it was to accept them.
Fines of €90m for Google LLC and €60m for Google Ireland Ltd – in line with the GDPR’s One Stop Shop mechanism – were imposed by the CNIL on 31 December 2021, followed by a 6 January 2022 announcement on the authority’s website to clarify the decision, saying:
“The restricted committee, the CNIL body in charge of issuing sanctions, judged that making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to opt for the ease of the ‘I accept’ button.
“The restricted committee considered that this process affects the freedom of consent of Internet users and constitutes an infringement of Article 82 of the French Data Protection Act, since it is not as easy to refuse cookies as to accept them.”
It goes on to justify the fine amounts “by the number of people affected and the considerable profits that the companies make from advertising revenues indirectly generated from the data collected by cookies.”
Notably, the CNIL includes that it had already warned Google about these breaches prior to the penalties and that this was taken into consideration when calculating the fines.
Google’s response was one of acceptance, with Reuters quoting a Google spokesperson as saying: “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision.”
Is GDPR working?
Since the launch of GDPR, many have doubted its effectiveness in controlling the use of data by big businesses, especially the tech behemoths of Silicon Valley.
With this combined top five totaling an eye-watering €1.526bn, regulators seem to be flexing their muscles. But is it enough to make a difference?
Let’s take a look at the numbers.
While €746m is certainly a lot of money, it was approximately only 0.2%* of Amazon’s 2020 annual revenue, which reportedly totaled $386bn. This is far from the maximum 4% of turnover outlined on the GDPR website.
Google had it even easier, with €150m making up approximately 0.09%* of its reported $182.53bn 2020 revenue.
And with revenue of $117.9bn reported for the 2021 fiscal year, Instagram’s owner Meta had generated enough money to match its €405m fine in approximately a day and a half.*
When you consider that many of the tech giants generate a large proportion of their revenues from digital advertising (which in most cases has historically used third-party cookies to target audiences), many could argue that these fines are a small price to pay.
Furthermore, when you combine this with the fact that the long timeframes required to enforce such fines have led to significant backlogs, it’s easy to see why many question how effective GDPR really is.
Having said that, while these fines may seem small in the context of the recipients’ overall revenue, they are by no means insignificant and have certainly grabbed headlines, helping to raise global awareness of the issues surrounding online privacy and personal data.
It is also important to remember that the 4% of turnover figure mentioned above is the maximum penalty. The actual fines that are imposed must reflect the severity of the offense. After all, if every violation was met with the maximum punishment, there would be no reason for a potential offender to hold back.
Finally and perhaps most crucially of all is that, in most cases, the GDPR fines that have been imposed have brought about positive change to the way the recipients handle personal data.
With this in mind, it’s hard to deny that a digital world with GDPR is ultimately a better place than it was without it.
*Calculated using exchange rates correct on the date of the fine being issued.
SmartFrame’s innovative image-streaming technology provides the perfect contextual advertising solution for the cookie-less world and is benefitting content owners, publishers, and advertisers everywhere
Subscribe to our newsletter
Get the latest articles and updates delivered straight to your inbox