The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws. Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4% of worldwide turnover for the preceding financial year – whichever is higher.
Since the GDPR took effect in May 2018, we’ve seen over 900 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly.
Let’s take a look at the biggest GDPR fines, explore what caused them, and consider how you can avoid being fined for similar violations. Last updated May 2022.
The biggest GDPR fines of 2020, 2021, and 2022 (so far)
1. Amazon — €746 million ($877 million)
Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent.
And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website.
How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine.
2. WhatsApp — €225 million ($255 million)
Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with A €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice.
Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision.
But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.”
How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation.
3. Google Ireland — €90 million ($102 million)
The French data protection authority (the CNIL) hit Google Ireland with this substantial fine on Jan 6 2022. The fine relates to the way Google’s European arm implements cookie consent procedures on YouTube. The Google Ireland fine was one of two fines issued as part of the same decision, with the other being levied against California-based Google LLC (which operates Google Search).
So what’s the issue? In a nutshell, the CNIL said that Google should have made it easier for YouTube users to refuse cookies. YouTube sets cookies on our devices to track our online activity for marketing purposes. It’s easy to accept cookies on YouTube, but harder to refuse them. The CNIL noted that refusing cookies required a user to make several clicks, whereas accepting cookies required just one click.
The CNIL justified the relatively high fine by pointing to the large number of people using YouTube and the huge profits that Google derives from the service. But wait a minute—doesn’t Google run its EU operations out of Ireland? How come the Irish regulator didn’t deliver this fine?
The reason, the CNIL contended, is that cookie regulation primarily falls under the ePrivacy Directive, not the GDPR, so regulators can take direct action against website operators in their jurisdiction rather than referring everything back to the organization’s “main establishment.” But the decision still qualifies as a “GDPR fine” because it’s the GDPR that determines how website operators obtain consent.
How the fine could have been avoided: Under the GDPR, consent must be “freely given”: equally easy to accept or refuse: if you can accept with one click, you should also be able to refuse with one click.
4. Facebook — €60 million ($68 million)
Facebook’s second-largest GDPR fine (including its WhatsApp fine, above) came from the French data protection authority, the CNIL, on Jan 6, 2022. The social media giant earned this €60 million penalty owing to—you guessed it—failing to obtain proper cookie consent from its users.
The issue here mainly related to the unclear way in which Facebook provided a cookie opt-out. Like with Google (see above and below), accepting cookies on Facebook is a piece of cake—just click “accept.” Refusing them is a little more complicated.
How the fine could have been avoided: The CNIL drew attention to how Facebook’s cookie consent interface seemed to offer no option except “Accept Cookies”—even when it appeared that users were actually refusing them. The CNIL reflected that this language” necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it. Don’t confuse your users. Keep language simple and straightforward whenever you’re providing privacy information.
5. Google LLC…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
