Largest Fines under GDPR Series 1: Top 5 GDPR violations in 2023

POSTED ON JANUARY 10, 2025 BY DATA SECURE
data breach

Introduction

In an era defined by rapidly evolving technology and a growing digital presence, the risks of data breaches and the mishandling of sensitive information have become increasingly prevalent. A company's data is as important as any other aspect of the company. The General Data Protection Regulation (GDPR), introduced in 2018, has reshaped how organisations handle personal data across the European Union and beyond. With its stringent requirements and hefty penalties for non-compliance, the GDPR emphasises the importance of safeguarding individuals' privacy in an increasingly data-driven world.

Data breaches are significant, often resulting in fines that reach hundreds of millions of euros. Regulators across the EU have stepped up their efforts, holding organisations accountable for violations ranging from inadequate data security measures to unlawful data processing and lack of transparency. The year 2023 has been a turning point in GDPR enforcement, witnessing some of the largest fines ever imposed. From tech giants mishandling user data to lesser-known entities facing scrutiny for neglecting basic privacy protocols, 2023's landmark cases reflect the growing focus on individual rights and corporate accountability. These fines not only underscore the financial risks of non-compliance but also highlight the critical need for robust data protection practices in organisations of all sizes and industries. This article delves into the criteria for determining the fines and, thereafter the five most significant fines of the year, exploring the circumstances that led to these penalties and the lessons businesses can learn to avoid similar pitfalls.

How are the fines Calculated?

data breach

Under Article 83 of the GDPR, fines for violations are imposed by each country's supervisory authority. These authorities ensure GDPR compliance, investigate breaches and penalties. While all supervisory authorities follow the same core rules for fines, their priorities and approaches to enforcement may vary.

Fine Structures Under GDPR

data breach

GDPR fines are categorized into two tiers based on the severity of the violation:

  1. Standard Maximum Penalty: Up to €10 million or 2% of the organization’s total annual worldwide revenue, whichever is higher.
  2. Higher Maximum Penalty: Up to €20 million or 4% of the total annual worldwide revenue, whichever is higher.

Factors Considered When Imposing Fines

data breach

Supervisory authorities evaluate several factors to determine the amount of the fine, including:

  • The specific offences committed.
  • The severity of the breach and its starting point for calculation.
  • The organization's annual turnover.
  • Mitigating or aggravating circumstances surrounding the violation.
  • The maximum fine is applicable under the circumstances.
  • Whether the penalty serves as an effective deterrent.

This structured approach ensures that fines are proportionate, consistent, and impactful in encouraging organizations to uphold robust data protection standards.

Article 83 of GDPR can be read at: Art. 83 GDPR General conditions for imposing administrative fines

Top Five Penalties

1. META Platforms Inc. ( May 2023)

In May 2023, Ireland's Data Protection Commission levied a staggering EUR 1.2 Billion penalty against Meta, Facebook’s parent company, for inadequately safeguarding European Facebook users' data during transfers to the United States. The data transfers in question were being carried out in breach of Article 46(1) GDPR. Alongside the fine, Meta was mandated to suspend data transfers between the EU and the US for a period of six months. This violation also went against the Schrems II ruling by the EU’s highest court in 2020, which invalidated the EU-US Privacy Shield Framework.

Due to the severity of the violation, the EDPB determined that the fine should be calculated within the range of 20% to 100% of the maximum allowed under the law. Additionally, the EDPB directed the Irish Data Protection Authority (IE DPA) to require Meta IE to align its processing activities with Chapter V of the GDPR. This includes stopping the unlawful processing and storage of European users' personal data in the U.S., with a deadline of six months from the notification of the IE DPA's final decision.

In addition to the substantial fine, Meta was instructed to stop these data transfers within five months and align its processing operations with GDPR within three months. The investigation stemmed from two complaints: one related to Facebook from an Austrian user and the other concerning Instagram from a Belgian user, both raising similar concerns about data protection compliance.

The full judgement can be read at: Final Decision on Meta Platforms

Article 46(1): Art. 46 GDPR Transfers subject to appropriate safeguards

2. META Platforms Inc. ( January 2023)

In January 2023, the Irish Data Protection Commission imposed the second-largest penalty of the year on Meta, totalling EUR 390 Million. This included a EUR 210 million fine for GDPR violations by Facebook and an additional EUR 180 million fine for similar breaches by Instagram. In addition to the penalties, Meta Ireland was also directed to bring its data processing operations into compliance within a period of 3 months. The penalties were a result of Meta’s shift from seeking users' informed consent for personalised advertising to including a clause in its terms and conditions that compelled users to agree to data usage for ads. The EU’s data authority rejected Meta’s argument that users consent to such data usage when they accept the platform’s terms as part of a “contract” and said that it is a violation of Article 6(1)(b) of the GDPR.

After extensive investigations, the Irish Data Protection Commission (DPC) found Meta Ireland had breached its transparency obligations under GDPR by failing to clearly inform users about the legal basis for data processing and the purposes of such processing. This lack of transparency violated Articles 12, 13(1)(c), and 5(1)(a) of the GDPR. Although the DPC determined that Meta Ireland did not rely on consent for its data processing, it questioned whether the "contract" basis was appropriately applied for personalized services. The DPC imposed significant fines and ordered Meta to bring its operations into compliance. Peer regulators across the EU/EEA, known as Concerned Supervisory Authorities (CSAs), supported the DPC’s findings and recommended increasing the proposed penalties.

The Full Judgements can be read at: Facebook Judgement: Meta FINAL DECISION (ADOPTED) 31-12-22

Instagram Judgement: Meta FINAL Decision (ADOPTED) - IN-18-5-7 - 31-12-22

Link to referenced articles of GDPR: Article: 5(1)(a): / Article 6: /Article 12: /Article: 13(1)(c):

3. TikTok Limited

TikTok was fined EUR 345 Million in September 2023 by Irish regulators following an investigation into improper handling of children’s data. The inquiry focused on the platform's age verification process during user registration and its data processing practices for children between July 31 and December 31, 2020. The questions were posed under various Articles of GDPR, namely Articles 5,12,13 and 24

The findings highlighted serious risks to children’s data privacy. The default "public" setting for child users’ accounts posed significant dangers, potentially leading to a loss of control over their data and exposure to malicious actors. TikTok failed to implement measures to ensure that children’s social media content was not accessible by default. Additionally, TikTok did not provide clear, age-appropriate information to child users about who could access their data or the implications of the public-by-default settings. These practices were found to violate GDPR principles under Articles 5, 12, and 13, underscoring the platform's failure to safeguard children’s data and uphold transparency obligations.

In response, TikTok stated that it "respectfully disagreed" with the magnitude of the penalty imposed.

Refer to Article 24 GDPR at: https://gdpr-info.eu/art-24-gdpr/

Read the entire Judgement here - Final Decision Tiktok Dated 1st Day of September, 2023

4. CRITEO

French advertising technology company Criteo faced significant scrutiny in June 2023, landing on the list of GDPR violators. France’s Data Protection Authority (CNIL) imposed a EUR 40 Million fine on Criteo for breaching GDPR regulations through its targeted advertising practices. The violations stemmed from the company’s use of tracking and data processing techniques to create user profiles for personalized advertising. Criteo defended its practices, claiming that the behavioural retargeting was unintentional and arguing that the fine was excessive when compared to penalties imposed on larger U.S. tech companies. In response to these claims, CNIL reduced the original fine by one-third. Despite this reduction, the case highlights the growing enforcement of data privacy regulations in the advertising industry.

The company’s business model, heavily reliant on data collection to optimize targeted advertising, was scrutinized. The investigation identified five specific GDPR breaches: failure to demonstrate valid user consent (Article 7.1), lack of transparency and inadequate user information (Articles 12 and 13), non-compliance with users’ right of access (Article 15.1), failure to honour requests for consent withdrawal and data deletion (Articles 7.3 and 17.1), and non-compliance with joint controller agreement obligations (Article 26). The decision, reviewed and approved by 29 other European supervisory authorities, underscored the cross-border nature of this case and reinforced the importance of GDPR compliance.

Article 7 can be read at: https://gdpr-info.eu/art-7-gdpr/

Find Article 26 at: https://gdpr-info.eu/art-26-gdpr/

The entire judgement can be found here: Deliberation SAN-2023-009 of June 15, 2023s

5. TikTok Limited

On April 4, 2023, TikTok was fined EUR 14.5 Million by the UK’s Information Commissioner’s Office (ICO) for breaching the UK GDPR. The fine was issued because the platform allowed children under the age of 13 to create accounts without obtaining parental consent, a clear violation of Article 8 of GDPR. The platform also failed to provide users, particularly children, with clear and accessible information about how their data was collected, used, and shared, violating Article 12. As a result, the processing of personal data was deemed unlawful, unfair, and non-transparent, contravening Article 5(1)(a).

Although TikTok’s terms of service prohibit users under 13 from creating accounts, the measures in place between 2018 and 2020 were insufficient to enforce this restriction. The ICO highlighted that children’s data might have been used for tracking or profiling, potentially exposing them to harmful or inappropriate content. Furthermore, senior staff had been informed about the presence of underage users but failed to take appropriate action. These lapses significantly aggravated the breaches.

The ICO initially proposed a larger fine of EUR 31.3 Million but reduced it after deciding not to pursue an alleged breach related to TikTok’s use of special categories of data. Following the decision, TikTok has taken steps to enhance its security measures and improve its internal data processing systems.

Read Article 8 of GDPR at: https://gdpr-info.eu/art-8-gdpr/

The Penalty notice sent to TikTok can be found at: https://ico.org.uk/media/4025182/tiktok-mpn.pdf

While these were the five largest fines imposed in 2023, several other significant violations also drew attention, involving companies such as Axpo Italia S.p.A., TIM S.p.A., WhatsApp Ireland Ltd., EOS Matrix d.o.o., and Clearview AI. The rise in both the number of breaches and the substantial fines underscores a growing concern over issues like lack of consent and transparency in data handling. In the next article of this series, we will delve deeper into these notable fines and the violations that led to them.

We at Data Secure (DATA SECURE - Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com

For downloading various Global Privacy Laws kindly visit the Resources page in DPO India (dpo-india.com)

For solutions on Schrems II or Lawful Borderless Data Transfer solutions, kindly visit our website www.borderless-data.com.

Kindly write to us at info@borderless-data.com for six steps solution for Lawful Borderless Data Transfer Solution