However, despite recent huge GDPR fines, like the €1.2 billion fine for Meta by Ireland's Data Protection Commission (DPC), not all experts believe the regulation works as intended. So, let's dive into how it works and explore the biggest GDPR fines and their implications.
How GDPR changed business attitudes to data security
Since the GDPR came into effect in 2018, businesses have had to rethink data security.
The regulation enforces strict rules to protect personal data and holds companies accountable for their data processing. This shift has led to investments in better security measures and staff training.
The GDPR's impact goes beyond compliance and is supposed to create a culture that prioritizes data protection and privacy. The regulation has made data protection a major concern for all companies.
However, as GDPR marks its sixth birthday, experts believe Europe remains unable to police big tech’s use of people’s data effectively, despite an enforcement budget of more than €330 million ($355 million). We'll explore why below.
GDPR fines: an overview
Initially, GDPR enforcement was less strict, offering guidance rather than imposing heavy penalties. This changed on May 25, 2018, when the regulation became fully effective. Data protection authorities gained the power to impose substantial fines for non-compliance. In the six years since, NordLayer has analyzed the fines and found that authorities have issued over 2,000 violations, resulting in more than €4.5 billion in fines as of May 2024.
Each EU member state has its own data protection authority responsible for enforcing GDPR. These authorities, like the Irish Data Protection Commission, monitor compliance, investigate complaints, and issue fines.
Enforcement varies by country, depending on the resources and effectiveness of the national authority. Some countries are more proactive and impose more fines, while others may have fewer resources for enforcement.
The GDPR's ‘country of origin’ principle obliges the country in which a company has its European headquarters to police its data use across the entire EU. Four of the world’s five biggest digital platforms are based in Ireland. However, as the lead EU enforcer, Ireland makes fewer major decisions than it could.
Major violators and their penalties
There are thousands of GDPR cases, but the most notable ones involve large companies that have extensive data processing activities. The statistics mentioned below come from analyzing aggregated GDPR Enforcement Tracker database data as of May 16, 2024. CMS, an international law firm, tracked all the numbers provided on the website.
Meta Platforms Ireland
Meta Platforms Ireland, including its subsidiaries Facebook and WhatsApp, has received six of the biggest GDPR fines. The most significant penalty was €1.2 billion in 2023 for an insufficient legal basis for data processing.
Other fines included non-compliance with general data processing principles and insufficient technical and organizational measures to ensure data security in 2022, as well as insufficient fulfillment of information obligations and insufficient legal basis for data processing in 2021.
Every year, Meta receives higher and higher fines. This is partly because Meta continues to violate the rules and partly because lawsuits take a long time to resolve, resulting in several ongoing cases.
One key reason for Meta's repeated fines is its handling of user data across different services. Despite previous penalties, the company has struggled to fully comply with GDPR's requirements. Issues such as obtaining valid consent and ensuring transparency in data processing remain persistent challenges for Meta.
The scale and complexity of Meta's data processing activities also make compliance more difficult. The company operates multiple platforms with billions of users, each generating vast amounts of data. Ensuring all data processing activities meet GDPR standards is a monumental task.
Meta's legal battles highlight broader issues within the tech industry regarding data privacy and protection. Meta's actions and subsequent penalties set precedents for other companies.
Amazon
In 2021, the Luxembourg National Commission for Data Protection (CNPD) fined Amazon €746 million for violating data protection laws. The CNPD found Amazon's processing of personal data for advertising did not comply with the GDPR.
Amazon stated the decision did not involve a data breach and no customer data was exposed. The company cooperated with the investigation but disagreed with the findings and appealed in 2024, saying that the Luxembourg regulator’s approach left the company ‘without a chance to change its practices’ before issuing the penalty.
TikTok
In 2023, TikTok was fined €345 million for lapses in handling children's personal data. The company disagreed with the decision. The Irish Data Protection Commission found that TikTok set children's accounts to public by default. This made kids' videos viewable by anyone and enabled features like comments and duets. TikTok failed to protect personal data and ensure data security for young users.
Although the age verification methods were not found to violate GDPR, TikTok did not adequately protect the privacy of children under 13. The DPC concluded that TikTok needed to improve its data processing activities to comply with GDPR standards and protect EU users' data.
Google
In 2021, Google received two fines totaling €150 million for an insufficient legal basis for data processing. France’s data privacy watchdog, CNIL, fined Google for making it difficult for users to refuse cookies as easily as accepting them. This violated GDPR principles by not giving users equal control over their data choices. At that time, this was a record fine.
Ireland's significant fines
Ireland has issued €2.8 billion in fines, largely due to big tech companies like Meta and TikTok. Ireland's Data Protection Commission (DPC) serves as the lead data privacy regulator in the EU for these companies, as many have their European headquarters in Ireland. The DPC has conducted major inquiries into Facebook, WhatsApp, and Instagram.
Ireland's low corporate tax rate attracts many big tech companies to set up offices there. For instance, Meta users outside the US and Canada contract with Meta Platforms Ireland Limited, which allows Meta to avoid US taxes for these users. This makes Ireland's DPC responsible for regulating such tech giants.
Over the years, other EU data protection authorities have pressured Ireland’s DPC to be more active and impose larger fines. For example, when the DPC proposed a €30–50 million fine for WhatsApp in 2021, other EU regulators rejected it. The European Data Protection Board (EDPB) made a binding ruling, resulting in a €225 million fine.
Critics have said that the Irish DPC is under-resourced and slow in punishing privacy breaches. In 2023, tensions rose when the Irish DPC took legal action against the EDPB, arguing that the EDPB imposed overly harsh decisions. This shows that the European Data Protection Board is more aggressive on big tech than Ireland's own law enforcement. It makes sense, considering Ireland likely does not want big tech companies to move to countries that do not impose billion-euro fines.
Top countries for GDPR fines
Spain
The Spanish Data Protection Agency (AEPD) is known as one of the most active EU data protection authorities. Before the GDPR, each EU country had its own data privacy laws, and enforcement varied greatly. Spain and Germany were seen as the toughest enforcers, issuing large fines for consumer privacy violations. Before 2013, Spain logged the most data protection complaints and handed out the most severe fines in the EU, including several large fines for illegal data transfers.
Now, Spain's data protection law goes further than the GDPR. In 2022, the AEPD imposed a €10 million fine on Google LLC for disclosing personal data to third parties without a valid legal basis and hindering data subjects' right to erasure. The AEPD found Google's data transfer lacked legitimate interest and did not give data subjects the chance to object.
In 2023, Spain adopted 367 sanctions, totaling €29.8 million in fines.
Italy
The Italian data protection authority has issued 354 fines since 2018, totaling almost €150 million.
In 2024, it gave a big fine to Enel Energia, which made it into the top 10 biggest GDPR fines. The €79 million fine was for telemarketing abuses.
This is the largest fine Italy has issued so far. Interestingly, Enel Energia had already received a €26.5 million fine in 2021 for making unsolicited calls, some based on pre-recorded messages.
The Italian DPA is known for its bold actions. In 2023, it acted against OpenAI after a reported data breach involving ChatGPT. It temporarily limited data processing for Italian users and started an inquiry into issues like lack of user information and unclear legal basis for data processing. OpenAI updated its privacy policy and provided opt-out options but needed to improve age verification.
In 2023, Italy adopted 146 sanctions, resulting in €25.2 million in fines.
Germany
Since 2018, Germany has issued 183 GDPR fines totaling €55 million. In 2023, Germany had the largest number of fines, totaling 469 across all regions. Both national (federal) and regional Data Protection Authorities enforce data protection laws in Germany.
Germany is known for its strong focus on data privacy. German citizens and regulators are particularly vigilant about protecting personal data and ensuring compliance with data protection regulations. This leads to a high number of complaints and enforcement actions.
Germany has a comprehensive approach to data protection, with the Federal Data Protection Act (BDSG) complementing the GDPR. The BDSG includes specific provisions for data processing by public and private entities and mandates strict security measures to protect personal data.
The country also requires the appointment of a Data Protection Officer in many organizations, especially those involved in processing sensitive personal data or large-scale data monitoring. This ensures proper handling of personal data across various sectors.
Common GDPR violations
Insufficient legal basis for data processing
This is the most common GDPR violation, with 635 instances costing companies €1.6 billion since the regulation came into effect. Meta faced a €1.2 billion fine, while the French CNIL fined Google and Facebook in 2021 for similar reasons.
These cases often involve issues with cookie consent. For example, the French CNIL criticized Google and Facebook for not providing users with an easy way to refuse cookies compared to accepting them. This resulted in fines totaling €150 million for Google and €60 million for Facebook.
Non-compliance with general data processing principles
Non-compliance with general data processing principles often results in significant fines under the GDPR. These principles, outlined in Article 5 of the GDPR, require that personal data be processed lawfully, fairly, and transparently. Companies must inform users clearly about how their personal data is processed, including the purpose and legal basis.
Meta Ireland
The Irish Data Protection Commission fined Meta Ireland for not clearly informing users about the legal basis for processing their personal data. Users did not understand what data processing activities were occurring, their purposes, or the legal bases. The DPC viewed this as a serious violation and imposed fines, requiring Meta Ireland to comply quickly.
The DPC also found that Meta Ireland did not rely on user consent as the lawful basis for processing personal data. Instead, Meta Ireland used ‘contract’ as the legal basis for personalized services, including advertising. While the GDPR allows contract-based data processing, the DPC raised concerns about transparency and fairness to users, emphasizing the need for clear and lawful data processing practices.
TikTok
TikTok faced regulatory action for non-compliance with general data processing principles, especially regarding child users. An inquiry examined TikTok's processing of personal data from July 31, 2020, to December 31, 2020. Issues included default public settings and the ‘Family Pairing’ feature, which did not adequately protect children's personal data. TikTok's age verification process during registration was also insufficient, failing to provide clear information and lawful processing.
Insufficient technical and organizational measures to ensure information security
For this reason, the Irish Data Protection Commission fined Meta Ireland €265 million after discovering a dataset of Facebook personal data on the internet. The inquiry focused on Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools used between May 2018 and September 2019.
The DPC found that Meta did not adequately protect personal data, failing to comply with the GDPR's Data Protection by Design and Default requirements under Article 25. This lack of proper security measures exposed personal data to significant risks.
Similarly, the Italian Data Protection Authority fined Enel Energia €79 million for serious shortcomings in their data processing and security measures. Investigations showed that Enel Energia did not implement necessary security measures, allowing unauthorized agents to exploit their systems.
This resulted in unauthorized activities, including nuisance calls and unauthorized service promotions, affecting at least 9,300 contracts. The Italian Data Protection Authority found these security failures to be severe violations of data protection regulations, leading to their highest fine ever issued.
Impact on business practices
The threat of significant GDPR fines has led businesses to invest heavily in data protection measures. Companies now focus on both organizational and technical security measures to safeguard customer data and prevent data breaches. Law firms advise clients to enhance their data protection frameworks, which include conducting regular audits and using advanced encryption technologies.
The importance of valid consent
Valid consent is crucial for GDPR compliance. Companies must ensure that data subjects provide informed, explicit, and clear consent for data processing activities. This involves using plain language and affirmative actions, like ticking a box. Failure to obtain valid consent can result in severe penalties.
Addressing data breaches
Under the GDPR, data breaches can have serious consequences. Companies must inform data subjects and relevant authorities promptly, usually within 72 hours, when a data breach occurs. This action helps mitigate potential harm and shows a commitment to data protection. Businesses should implement incident response plans and conduct regular breach simulations to ensure preparedness.
Processing sensitive personal data
Sensitive personal data, like medical records and biometric information, requires additional safeguards under the GDPR. Companies must implement strict security measures and obtain explicit consent to process this data. Advanced encryption and access controls are helpful in protecting sensitive data.
Data subject rights requests
Data subjects have the right to access, rectify, and erase their personal data. Companies must respond to data subject rights requests promptly, usually within one month. Efficient processes are necessary to handle these requests. Ideally, businesses should set up dedicated teams to manage these requests and ensure GDPR compliance.
Cross-border data transfers
Cross-border data transfers must comply with GDPR to protect EU users' data. Companies need to use appropriate safeguards, like Standard Contractual Clauses (SCCs), for international data transfers. These legal tools ensure data transferred outside the EU has equivalent protection.
NordLayer's approach to GDPR compliance
NordLayer helps businesses ensure GDPR compliance through robust security solutions and comprehensive support. By aligning with global standards like ISO 27001 and SOC 2 Type 1, NordLayer ensures the proper management of highly sensitive data. This commitment to compliance aids in protecting customer data and preventing data breaches, which helps businesses avoid GDPR fines for illegally processing customer data.
Traffic encryption
Whenever customer data or other sensitive information is sent between networks, it may be vulnerable to various attacks. NordLayer encrypts this traffic using AES 256-bit encryption, which is the optimal solution to avoiding security incidents and personal data breaches. By securing data in transit, NordLayer helps data controllers maintain compliance and avoid fines for security lapses.
Activity monitoring & visibility
Monitoring and verifying user access allow businesses to understand who is inside the enterprise network and what data they are attempting to access. This monitoring ensures GDPR compliance by keeping track of all access attempts and data usage. Effective monitoring can prevent instances of illegal processing of customer data and avoid severe penalties.
Implement access control to sensitive data
NordLayer ensures that all user identities are verified before network access permissions are granted. This includes enterprise users, third-party administrators, and business associates. By controlling access, NordLayer maintains data security and ensures compliance with GDPR. Proper access control helps prevent unauthorized access and potential data breaches, reducing the risk of significant GDPR fines.
Secure remote access
Modern organizations need modern security solutions that adapt to hybrid working environments and GDPR rules. NordLayer provides advanced protection for users, devices, apps, and data, regardless of location. Ensuring secure remote access helps businesses avoid the risk of unlawful processing of customer data and potential fines.
Secure access to data in the cloud
When using cloud service providers like AWS, Microsoft Entra ID, and Google Cloud Platform, compliance becomes a shared responsibility. NordLayer helps secure cloud environment connections, ensuring GDPR-compliant configurations and usage. By protecting data in the cloud, NordLayer helps data controllers avoid fines for non-compliance.
Threat prevention
NordLayer prevents threats before they reach your network and responds quickly when issues arise. It automatically restricts untrusted websites and users, preventing potentially harmful malware and other cyber threats from infecting devices.
NordLayer helps businesses maintain GDPR compliance, protect personal data, and avoid the serious consequences of illegal processing of customer data.
Conclusion
The GDPR has transformed how businesses approach data protection and privacy. Companies must adopt robust security measures, which help protect personal data, maintain customer trust, and avoid penalties.
This is essential not only for businesses within the EU but also for any company processing EU data. Several US states are introducing similar laws, increasing the compliance burden for businesses. In 2019, the California Consumer Privacy Act (CCPA) marked a significant shift in the US data privacy framework. Since then, seventeen states have passed comprehensive data privacy laws, including California, Virginia, Colorado, Connecticut, and Utah, with more states set to implement laws in 2024. This trend highlights the growing importance of data privacy globally.
As fines continue to grow, businesses must prioritize compliance to safeguard personal data and build trust with their customers. Embracing data protection practices is crucial in this evolving regulatory landscape.