GDPR Penalties: The Biggest Fines and What They Teach

GDPR penalties are useful not just because of their size, but because each fine shows exactly which compliance failures regulators care about most.

GDPR Penalties: The Largest and Most Instructive Cases

Meta received a record EUR 1.2 billion fine in 2023 for data transfer violations following the Schrems II ruling. Amazon was fined EUR 746 million in 2021 for violations related to targeted advertising practices.

The Most Impactful Fine

Two 2023 fines against Meta, totaling EUR 390 million, addressed how the company justified collecting and analyzing personal data for personalized advertising on its social media platforms. These decisions clarified the legal bases that major platforms can rely on for ad targeting.

The Most Underwhelming Fine

Those same EUR 390 million fines were widely criticized as insufficient given the scope of violations. The investigating authority failed to examine claims about sensitive data collection, and eleven significant data breaches occurred between the initial complaints and the final decision.

The Most Avoidable Fine

Uber received a EUR 290 million fine for data transfer violations that could have been entirely avoided by implementing Standard Contractual Clauses -- a standard practice that most other companies in similar positions had already adopted.

The Emerging Threat

Clearview AI accumulated EUR 110 million in fines from Italian, Greek, and Dutch authorities for large-scale non-consensual web scraping. This precedent has significant implications for how technology companies collect training data for artificial intelligence systems. European data protection regulators have signaled a strict approach to AI training data collection.