The Top 10 Heaviest GDPR Penalties Imposed on Major Technology Companies

The effectiveness of the EU’s premier privacy law, the General Data Protection Regulation (GDPR), in curbing the excesses of leading technology corporations remains a matter of active discussion. We have assembled a list of the top 10 heftiest GDPR sanctions levied against Big Tech since its implementation in May 2018.

Leading the charge is Meta, the conglomerate behind Facebook, Instagram, and WhatsApp, not only for incurring the largest fine to date (€1.2 billion, equivalent to about $1.31 billion) but also for constituting the bulk of these significant fines (six or more, varying by platform).

It’s important to note that this compilation focuses solely on major fines issued under GDPR to technology companies. Over the years, Big Tech has also faced substantial penalties under the EU’s older ePrivacy Directive, though those fines are not included here.

GDPR-Related Penalties Imposed on Tech Companies

1. Meta (Facebook): Received a fine of €1.2 billion (~$1.31 billion) in May 2023 by the Irish Data Protection Commission (DPC) for illegal transfer of Facebook users’ data outside the EU.

2. Amazon: Incurred a €746 million (~$815 million) penalty in July 2021 by Luxembourg’s National Commission for Data Protection (CNPD) for ad targeting practices not based on user consent.

3. Meta (Instagram): Was penalized €405 million (~$443 million) in September 2021 by Ireland’s DPC due to inadequate handling of minors’ data.

4. Meta (Instagram and Facebook): Faced a combined fine of €390 million (~$426 million) in January 2023 by Ireland’s DPC for lacking a legal basis to use user data for ad targeting.

5. ByteDance (TikTok): Penalized €345 million (~$377 million) in September 2023 by Ireland’s DPC for shortcomings in managing minors’ data.

6. Meta (Facebook and Instagram): Fined €265 million (~$290 million) in November 2022 by Ireland’s DPC for default data protection breaches after features exposed users’ personal data widely.

7. Meta (WhatsApp): Penalized €225 million (~$246 million) in September 2021 by Ireland’s DPC for violating GDPR’s transparency obligations and unclear data processing disclosures.

8. Alphabet/Google (Android): Fined €50 million (~$55 million) in January 2019 by France’s CNIL for failing in transparency and consent in relation to its Android platform.

9. Meta (Facebook): Incurred a €17 million (~$18.5 million) fine in March 2022 by the Irish DPC for multiple security lapses impacting up to 30 million users.

10. ByteDance (TikTok): Fined approximately €14.8 million (~$16 million) in April 2023 by the U.K.’s Information Commissioner’s Office (ICO) in a case involving protection of minors. (Note: Despite the U.K. not being part of the EU, its data protection standards continue to align with GDPR.)

Also Noteworthy, Though Not Strictly Big Tech

The ad technology powerhouse Criteo initially faced a €60 million (~$65 million) penalty in August 2022 from France’s CNIL for a variety of GDPR infringements. However, after appealing, the fine was reduced to €40 million (~$44 million) in June 2023. The action stemmed from complaints that Criteo lacked user consent for tracking and ad profiling.

An additional highlight: The U.S-based AI firm Clearview AI was fined the maximum amount (€20 million or around $22 million, tied to its revenue) three times in 2022 by data protection authorities in Italy, Greece, and France for illegal data practices associated with harvesting internet images to power a facial-recognition AI. That year, the U.K.’s ICO also sanctioned it for GDPR violations, spotlighting the contentious company’s regulatory challenges.