The Biggest GDPR Fines of 2021

Amazon was handed a mammoth €746 million EU GDPR fine by Luxembourg’s National Commission for Data Protection in July 2021 and it dwarfs all previous breaches. The online retail behemoth has its EU base in Luxembourg and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed the fine, stating that it “strongly” disagrees with the Commission’s findings. It isn’t the first time Amazon has fallen foul of data protection regulations. The French Data Protection Authority (CNIL) fined the company €35 million in late 2020 for its alleged failure to provide cookie consent and associated information to users on its website.

2021 wasn’t just notable for the biggest GDPR fine on record. It also saw the second-highest financial penalty when WhatsApp was given a massive €225 million fine in August by Ireland’s Data Protection Commission. This was as a result of breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR. Specifically, WhatsApp came up short in providing information to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” and “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”. As was the case with Amazon, WhatsApp also decided to appeal this decision.

2021 kicked off with a significant fine for German online electronics retailer notebooksbillger.de. On January 8, the data protection commissioner for the German state of Lower Saxony announced that the company would be subject to a €10.4 million fine for violating the GDPR’s data protection rules. For more than two years, notebooksbilliger.de had been monitoring its employees and customers with CCTV cameras while the recordings were stored for up to 60 days. While the GDPR does not prohibit the use of CCTV, surveillance must be a legitimate response and conducted with a proper legal basis.