TOP 10 Largest GDPR Fines in 2022

by Sypher | Published in Resources


Whether you're a business owner looking to ensure compliance with the GDPR, or just curious about the largest data protection fines of the year, these eye-watering fines serve as a reminder of the importance of adhering to data protection laws and taking the necessary steps to establish an effective data-protection management program. Before we dive into the details, let’s get a bird’s eye view of the top 10 largest GDPR fines of 2022:

  1. Instagram - €405,000,000
  2. Facebook - €265,000,000
  3. Clearview AI - €69,000,000 (4 combined fines)
  4. *Microsoft Ireland — €60,000,000
  5. Meta Platforms - €17,000,000
  6. Google - €10,000,000
  7. REWE International AG - €8,000,000
  8. Cosmote Mobile Telecommunications - €6,000,000
  9. Interserve Group Limited - €5,000,000
  10. Portuguese National Statistical Institute - €4,300,000
  11. Vodafone España - €3,940,000

*Later Edit — As you can notice, there are 11 entries above, instead of 10. That is because Microsoft’s CNIL fine was issued after this article was cleared for publication, and we therefore needed to correct it.

It’s important to note that this year’s Instagram (€405M) and Facebook (€265M) GDPR fines are two of the all-time largest fines in GDPR enforcement history, and are surpassed at the top only by the staggering €746 million fine issued against Amazon. SO, without further ado:

  1. Instagram - €405,000,000 in Ireland for allowing children between the ages of 13 and 17 to use business accounts, which gave the company access to the minors’ email addresses and phone numbers. In some cases, the accounts were not set to “private” by default and could be viewed by the public. This is the second-highest penalty imposed for violations of the GDPR, following the historic €746 million fine against Amazon.
    ⚠️ Violations: Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 24 GDPR, Art. 25 (1), (2) GDPR, Art. 35 GDPR
    🔗 Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram)
     
  2. Facebook - €265,000,000 - The Irish DPA fined Facebook owner Meta after Facebook’s personal data was found on an online hacking forum. The inquiry was launched in April 2021 after media reports revealed the availability of a compiled dataset of Facebook user data on the internet. The investigation focused on the processing of data by Meta through the use of the Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools between May 2018 and September 2019, and examined whether the company was in compliance with the GDPR’s requirements for data protection by design and by default.
    ⚠️ Violations: Art. 25 (1), (2) GDPR
    🔗 Data Protection Commission Announces Decision in Facebook “Data Scraping” Inquiry
     
  3. Clearview AI - €69,000,000 in France, Greece, Italy, and the UK - €20M from each of the national DPAs in France, Greece, and Italy, and €9M in the UK — for unlawfully processing biometric data of individuals in the four countries. We've merged these four fines into a single entry in our top 10 because they are quite similar in terms of the violations quoted by the DPAs in their final decisions. Clearview AI offers a service that uses artificial intelligence to create profiles from data extracted from photos of individuals. The profiles are then enriched with additional information gathered from web scraping of public internet sources. The company was discovered to have used its services to assess individuals’ personal data without a proper legal basis and to have used the data for purposes other than those for which it was provided. Additionally, the company did not establish specific periods for deleting the data and did not adequately inform individuals about the processing of their data.
    ⚠️ Cumulated violations: Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17, Art. 21 GDPR, Art. 22 GDPR, GDPR, Art. 27 GDPR, Art. 31 GDPR, Art. 35 GDPR
    🔗 20 Million Euro Penalty Against Clearview AI (France)
    🔗 Greek DPA Imposes 20M Euro Fine on Clearview AI
    🔗 Italian DPA Fines Clearview AI EUR 20 Million
    🔗 MONETARY PENALTY NOTICE To: Clearview AI Inc
     
  4. Microsoft Ireland Operations Limited — €60,000,000 in France for violating privacy rights on "bing.com." The CNIL found that cookies were deposited on users' terminals without their consent and were used for advertising purposes, and that there was no option for users to easily refuse the deposit of cookies. The fine was justified by the scope of the processing, the number of affected data subjects, and the profits made by the company through advertising profits generated from the data collected through cookies. The CNIL also issued an order requiring that the company collect the consent of individuals in France before depositing advertising cookies on their terminals within three months, or face a penalty of €60,000 per day of noncompliance. 
    ⚠️ Violations: Art. 7 GDPR, Art. 82 French Data Protection Act
    🔗 Cookies: MICROSOFT IRELAND OPERATIONS LIMITED fined 60 million euros
     
  5. Meta Platforms - €17,000,000 in Ireland for failing to implement appropriate technical and organisational measures to protect the personal data of users. The company was also found to have processed the data for purposes other than those for which it was provided and to have failed to properly inform individuals about the processing of their data.
    ⚠️ Violations: Art. 5 (2) GDPR, Art. 24 (1) GDPR
    🔗 Irish SA fines Meta Platforms (formerly Facebook) €17M for data breaches
     
  6. Google - €10,000,000 in Spain for failing to obtain explicit consent from users before collecting and processing their personal data for the purpose of showing them personalised advertisements. The company was also found to have failed to provide users with clear and transparent information about how their data would be used.
    ⚠️ Violations: Art. 6 GDPR, Art. 17 GDPR
    🔗AEPD hands Google 10M euro GDPR fine
     
  7. REWE International AG - €8,000,000 in Austria for failing to implement appropriate technical and organisational measures to protect the personal data of users. The company was also found to have processed the data for purposes other than those for which it was provided and to have failed to properly inform individuals about the processing of their data. The interesting fact about this fine is that it was imposed for GDPR violations that occurred within both the parent company AND one of its subsidiaries, Unser Ö-Bonus Club GmbH, which, in turn, received a fine of €2 million, bringing the total to a hefty €10,000,000. 
    ⚠️ Violations: Art. 6 (1) a) GDPR, Art. 7 GDPR
    🔗 REWE International $9M GDPR fine a lesson in managing subsidiary risk
     
  8. Cosmote Mobile Telecommunications - €6,000,000 in Greece for a large data breach and multiple violations of the GDPR, following a data breach that occurred in 2020. OTE Group, the parent company was also fined €3.25 million, bringing the total to €9.25 million, which makes it the largest fine in the history of the Hellenic Data Protection Authority (HDPA). The breach, which was caused by a cyberattack on the group's information systems, affected more than 10 million OTE Group and non-OTE Group subscribers and involved large amounts of personal data, including financial and telecommunications traffic data. The HDPA found that Cosmote unlawfully retained traffic data for three months, violating the GDPR's data minimisation and storage limitation principles, and also ruled that Cosmote's data protection impact assessment was insufficient. The HDPA also determined that Cosmote did not adequately inform data subjects about the processing of their data for data analytics purposes, and incorrectly informed them that their data had been processed in an anonymized form. 
    ⚠️ Violations: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 (1) GDPR, Art. 26 GDPR, Art. 28 GDPR, Art. 35 (7) GDPR
    🔗Greek DPA issues largest fine yet
     
  9. Interserve Group Limited - €5,000,000 in the UK for failing to adequately secure the personal data of its employees between March 2019 and December 2020, resulting in vulnerability to a cyber attack that took place from March to May 2020. The attack affected the personal data of up to 113,000 Interserve employees. 
    ⚠️ Violations: Art. 5 (1) f) GDPR, Art. 32 GDPR
    🔗MONETARY PENALTY NOTICE To: Interserve Group Limited
     
  10. Portuguese National Statistical Institute - €4,300,000 in Portugal for GDPR breaches during the 2021 Census. CNPD stated that the Institute, while processing special data relating to health and religion, did not sufficiently explain that some of the questions were optional. According to CNPD, the Institute has shown “a disregard for the principles and obligations provided for in the GDPR, by relying on an intervention by the supervisory authority (CNPD), instead of taking the initiative to ensure that the census operation complied with that regime.” ☝️ One more thing: CNPD specifically noted that the National Statistics Institute didn't carry out any Data Protection Impact Assessment (DPIA) relating to the processing.
    ⚠️ Violations:  Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 28 (1), (6), (7) GDPR, Art. 35 (1), (2), (3) b) GDPR, Art. 44 GDPR, Art. 46 (2) GDPR
    🔗€4.3 million fine for breaching data protection rules in the Census
     
  11. Vodafone España - €3,940,000 in Spain for non-compliance with general data processing principles, The Spanish DPA (AEPD) conducted an investigation into the procedures used by Vodafone Spain to manage requests for SIM card changes after receiving multiple claims regarding the issuance of duplicate SIM cards to parties other than the subscribers. The AEPD found that Vodafone Spain's measures were insufficient and resulted in a loss of confidentiality and the transfer of personal data to third parties. The AEPD also determined that Vodafone Spain did not have an effective compliance and management model in place to prevent identity theft and ensure the security of personal data during the SIM card identification and delivery process. 
    ⚠️ Violations: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR
    🔗 Spanish SA imposes a fine on Vodafone España, for a loss of confidentiality related to mobile phone sim card duplicate and a lack of accountability

Final Thoughts

It is crucial for businesses to prioritise GDPR compliance as consumer demand for transparency continues to grow. 

Any company with a website targeting EU citizens must adhere to the GDPR or risk facing significant fines. A wide range of organisations, from small businesses to government agencies and major corporations, have been found to be in violation of GDPR regulations and have faced penalties ranging from thousands to tens and even hundred of millions of euros. 

To ensure compliance with the GDPR, it is essential to take action and implement a solid data-protection program.


Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our Newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.