Biggest GDPR Fines Statistics – Updated 2024

The European Union’s GDPR (General Data Protection Regulation) came into action in 2018, and since then there have been many GDPR fines handed out to companies. The biggest GDPR fines have cost some of the world’s most well-known companies hundreds of millions of euros.

The GDPR law is designed to protect internet users’ privacy and ensure that their data is not used or shared without the user’s explicit consent. While companies try to meet the rules and regulations of this law, many still receive hefty fines.

This article compiles the biggest GDPR fines of all time, examining which companies were targeted and which countries fined them.

10 Biggest GDPR Fines of All Time

While not all GDPR fines are made public, we’ve compiled a list of the biggest known GDPR fines up to now (December 2024). See which businesses have been targeted by the EU for not complying with the strict GDPR law.

1. Amazon – €746 million ($826 million)

In July 2021 was hit with a massive fine by the CNPD (Commission Nationale pour la Protection des Données) which is a data protection institution in Luxembourg. While CNPD stated that Amazon breached GDPR through its user data processing and use of cookies, Amazon launched an appeal, rejecting the claims made by CNPD.

Amazon

2. WhatsApp – €225 million ($249 million)

WhatsApp was fined €225 million by the Irish Data Protection Commission (DPC) in September 2021 for breaching articles 12-14 of the GDPR. The DPC stated that WhatsApp updated privacy policy was unclear and complex for users to understand; furthermore, it didn’t adequately inform users that their information would be shared with other Meta (previously known as Facebook) companies.

The fine was originally going to be a lot less; unfortunately for WhatsApp, other data protection groups looked at the issue, and the fine was increased to the giant figure above. WhatsApp appealed the fine in January 2022 and is awaiting a decision from the courts.

3. Google – €150 million ($171 million)

This fine against Google is actually a combination of two penalties that were imposed at the same time on January 2 2022. The first part of this penalty is a €90 million fine from France’s CNIL (Commission Nationale de l’Informatique et des Libertés) against Google Ireland. This French fine came about because Google allegedly made it harder for users to reject cookies on the streaming platform. While accepting cookies involved one click, rejecting cookies was more complicated, meaning fewer users rejected them.

CNIL also hit Google LLC in California with a €50 million fine. This was for the same reasons as the fine against Google Ireland; however, it was aimed at the Google Search Engine, not YouTube. CNIL said that the Google Search page made it difficult for users to reject online trackers which gather information on their every internet movement. A French court blocked Google’s first appeal against this fine.

Google

4. Facebook – €60 million ($66 million)

The CNIL was busy handing out fines in January 2022. As well as hitting Google with massive fines, it also smacked Facebook with one on January 6. This fine was also for non-compliance with cookie regulations since the social media platform makes it hard for users to reject cookies.

5.  Google Inc – €50 million ($50 million)

The French regulator CNIL hit Google with another fine in 2019. This fine came about due to the lack of clarity with Google’s privacy policy and how it was difficult for users to opt out of ads based on tracking data.

6. H&M – €35 million ($38 million)

Germany’s Hamburg Data Protection Authority fined H&M €35 million in 2020 due to the fashion company seriously violating its employee’s privacy in one of its service centers in Nuremberg. Private meetings between employees and managers were recorded, without the employee’s knowledge, before being shared with other members of management.

H&M

7. TIM – €27.8 million ($30 million)

The Italian Data Protection Authority, Garante, ordered TIM, the Italian telecommunications operator, to pay a massive €27.8 million figure for violating many GDPR regulations. These included making unwanted cold calls, even to customers who had explicitly opted out of marketing communication lists.

Moreover, consent forms distributed by the company made it difficult for users to opt-out of specific marketing promotions. For example, to use the TIM mobile app, users had to consent to all conditions and there wasn’t an option to only select certain services to sign up for.

8. British Airways – €22 million ($24 million)

A data breach in 2018, which led to customers’ log-in data, credit card information, and names and email addresses being leaked, was the reason for the €22 million fine. The breach affected around 400,000 customers, causing the Information Commissioner’s Office (ICO) to fine British Airways.

You might wonder why British Airways was fined if it was the victim of a hack. ICO claimed that it was British Airways’ responsibility to implement strong security procedures to prevent hacks from occurring in the first place and that it had failed to do so. Therefore, it was the company’s responsibility to protect its customers’ data.

british airways

9. Marriott – €20 million ($22 million)

The ICO fined hotel company Marriott for a data breach that occurred in 2014. The hack actually took place on the Starwood Group’s reservation system; however, since Marriott acquired Starwood Group in 2016, and therefore, became responsible for the breach.

The beach itself affected many users; data such as names, email addresses, card information, and passport details were leaked and shared on the dark web. Unfortunately, even when Marriott acquired Starwood Group, it didn’t adequately resolve the issues that caused this breach in the first place.

10. Wind – €17 million ($18 million)

The Italian telecommunications operator was fined €17 million in 2020 for aggressive marketing tactics which violated customer privacy. For example, Wind inserted ads on users’ devices without their explicit consent and also used its mobile apps to get users to consent to privacy violations like location tracking.

If Wind customers signed up for marketing materials, the company then made it extremely difficult for users to unsubscribe, meaning they were left receiving a bombardment of advertising without any say in the matter.

Author Madeleine Hodson

Hi, I'm Madeleine. I'm a British writer with a global background, currently based in the UK. I have always been interested in the online world and how it connects people worldwide. My keen interest in the internet led me to ...
Read more about the author