Largest Fines under GDPR Series 2: Top 6 GDPR violations in 2025

POSTED ON JANUARY 17, 2025 BY DATA SECURE
data breach

Introduction

In recent years, the European Union's General Data Protection Regulation (GDPR) has continued to assert its authority as one of the most stringent privacy laws in the world. Following our analysis of the top five (5) GDPR fines imposed in 2023, this second article in our series shifts focus to the top six (6) GDPR breach penalties in 2024. The year has seen regulators particularly taking a hardline on their commitment to upholding data privacy, with significant fines being imposed on organisations that failed to adhere to compliance requirements. From high-profile tech giants to lesser-known entities, these cases highlight critical lessons for businesses across industries striving to align with GDPR’s compliance

This comprehensive review delves into the most notable fines of 2024, providing insights into the nature of the violations, the rationale behind the penalties, and the broader implications for data protection practices. By examining these enforcement actions, we aim to offer valuable takeaways for organizations looking to enhance their compliance strategies and mitigate risks in an era where privacy is paramount.

Top Six Penalties

1. LinkedIn Ireland ( June 2024)

The Irish Data Protection Commission (DPC) imposed its largest fine of 2024 on LinkedIn Ireland, amounting to EUR 310 Million, for GDPR violations related to behavioural analysis and targeted advertising. The investigation, initiated in response to a 2018 complaint from a French organization, revealed significant shortcomings in LinkedIn’s legal grounds for processing user data. These included improper reliance on consent, legitimate interest, and contractual necessity as justifications.

The DPC's decision highlighted multiple GDPR violations by LinkedIn, primarily under Article 6 and Article 5(1)(a), which mandate lawful and fair data processing. LinkedIn’s reliance on consent (Article 6(1)(a)) was deemed invalid. Similarly, its use of legitimate interests (Article 6(1)(f)) for processing personal data was found to override individuals' fundamental rights. The company also failed to justify its data processing under contractual necessity (Article 6(1)(b)). Additionally, LinkedIn breached transparency requirements under Articles 13(1)(c) and 14(1)(c) by not adequately informing users about its legal bases for data processing. For all these violations, in addition to the monetary penalty, LinkedIn was reprimanded and instructed to revise its data handling processes to ensure full compliance with GDPR regulations.

Read the Press release at: FiIrish Data Protection Commission fines LinkedIn Ireland €310 million

Article: 5(1)(a): GDPR Principles relating to processing of personal data

Article 6: GDPR Lawfulness of processing

Article: 13: GDPR Information to be provided where personal data are collected from the data subject

Article: 14 GDPR Information to be provided where personal data have not been obtained from the data subject

2. Uber Technologies Inc., Uber B.V. (August 2024)

Uber was fined EUR 290 Million by the Dutch Data Protection Authority (AP) for breaching GDPR by transferring and storing European drivers' personal data in the United States without adequate safeguards. The AP found that Uber BV failed to establish the necessary safeguards outlined in Article 46(2) of the GDPR between August 2021 and November 2023, leading to a violation of Article 44. It raised concerns that such data transfers exposed individuals to potential access by U.S. law enforcement and intelligence agencies, violating their rights under GDPR.

Uber also failed to implement Standard Contractual Clauses (SCCs) or other protective measures to ensure an EU-equivalent level of data protection. The compromised data included sensitive information such as account details, taxi licenses, location data, photos, payment details, IDs, and, in some cases, criminal and medical records. The investigation began after complaints from over 170 French drivers, and European regulators collaborated closely throughout the process. While Uber has since addressed the issue, it plans to appeal the fine.

This fine marks Uber's third penalty from the AP, following earlier sanctions in 2018 and 2023. Under GDPR, penalties can reach up to 4% of a company’s global annual revenue, which for Uber was EUR 34.5 billion in 2023. Given the severity of the breach and its prolonged duration, the AP imposed this record-breaking EUR 290 million fine on Uber’s joint controllers.

Find the case summary at: AP (The Netherlands) - Uber

Read articles at Article 44: GDPR General principle for transfers

Article 46: Transfers subject to appropriate safeguards

3. Meta Platforms Ireland Limited (September 2024)

Meta Platforms Ireland Limited (MPIL) was fined EUR 91 Million by the Irish Data Protection Commission (DPC) for GDPR violations related to the mishandling of social media users' passwords.

In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption). MPIL also published information regarding this incident in March 2019. These passwords were not made available to external parties. As Meta is headquartered in Ireland, the DPC acted as the Lead Supervisory Authority in the investigation into the company’s compliance with GDPR. The inquiry focused on whether Meta implemented adequate security measures to address the risks associated with processing user passwords and whether it fulfilled its obligations to document and report personal data breaches to the DPC.

The DPC's decision outlined specific breaches of GDPR by Meta, including failure to notify the regulator of the plaintext password storage issue (Article 33(1)), failure to document the breach (Article 33(5)), and inadequate implementation of security measures (Articles 5(1)(f) and 32(1)). While Meta reported no evidence of unauthorised access or misuse, the DPC emphasised the risks posed by the insecure storage of passwords, which could potentially allow unauthorised access to user accounts. Meta has since resolved the issue and cooperated fully during the investigation.

The press release can be found at: Irish Data Protection Commission fines Meta Ireland €91 million

Read articles at Article 32: Security of processing

Article 33: Notification of a personal data breach to the supervisory authority

4. Enel Energia SpA

The Italian Data Protection Authority, the Garante, imposed its largest-ever GDPR fine of over EUR 79 Million on ENEL Energia for violations related to telemarketing practices. This fine followed the cancellation of a previous EUR 26.5 million penalty due to procedural delays. The investigation revealed that ENEL Energia failed to implement sufficient technical and organizational measures to prevent unauthorized telemarketing activities, violating GDPR Articles 5(1)(f) and 32.

Specifically, the company neglected to properly secure its CRM interface, allowing unauthorized sharing of access credentials, which enabled telemarketing agencies to misuse personal data within the company’s systems. Despite the breaches, the Garante acknowledged ENEL Energia’s efforts to enhance security measures, including implementing two-factor authentication and restricting the simultaneous use of credentials from different locations.

The Garante emphasized ENEL Energia’s responsibility as one of Italy’s largest energy companies, highlighting its obligation to prevent telemarketing abuses by agencies acting on its behalf. While ENEL Energia suffered significant losses from these unlawful practices—losing more contracts than it gained—the regulator deemed the company ultimately accountable for ensuring compliance with data protection laws. The decision required ENEL Energia to notify 595 individuals whose data was unlawfully accessed, implement traceability measures to monitor system activity and ensure that its contracts with agencies and sub-agents fully comply with GDPR standards under Article 28. Additionally, the Garante mandated that the company improve system security to prevent unauthorized access and introduced a pecuniary sanction as per Article 83 GDPR.

Press Release for the case: Telemarketing: the Privacy Guarantor sanctions Enel Energia

Article 28 at: Processor

Article 83: General conditions for imposing administrative fines

5. Amazon France Logistique (January 2024)

Amazon France Logistique was fined EUR 32 Million by the French Data Protection Authority (CNIL) for violating GDPR through an intrusive employee monitoring system. The investigation revealed that Amazon's real-time tracking of warehouse employees via scanners breached GDPR principles, including data minimization (Article 5.1.c) and lawful processing (Article 6). The system used indicators such as "Stow Machine Gun" (flagging quick scanning), "idle time" (flagging inactivity over 10 minutes), and "latency under 10 minutes" (tracking shorter interruptions), which CNIL deemed excessively invasive and unjustifiable under legitimate interest. Furthermore, Amazon failed to ensure transparency regarding the monitoring system and improperly processed data to assess employee productivity and performance, exceeding what was necessary for managing work schedules and employee evaluations.

Additionally, Amazon breached GDPR obligations related to video surveillance. The company failed to comply with transparency requirements (Articles 12 and 13) and did not adequately secure the personal data collected (Article 32). Data from surveillance and scanners, used for evaluating employees, contributed to excessive stress on workers, raising ethical and legal concerns. These violations, brought to light through media reports and employee complaints, highlighted Amazon's failure to strike a balance between operational needs and employee privacy. The CNIL concluded that the company's practices were overly intrusive and unnecessary for work planning, resulting in a significant penalty.

Read the entire judgement at: Deliberation SAN-2023-021 of December 27, 2023

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

Article 13: Information to be provided where personal data are collected from the data subject

6. Clearview AI (September 2024)

Clearview AI, a U.S.-based facial recognition company, has been fined EUR 30.5 Million by the Dutch Data Protection Authority (DPA) for multiple GDPR violations, with additional penalties exceeding EUR 5 million. The company created a database of over 30 billion facial images, including those of Dutch citizens, by scraping photos from the internet without obtaining consent. Marketed primarily to law enforcement and intelligence agencies, Clearview’s services allow users to identify individuals from CCTV footage using its illegally compiled biometric database. The DPA determined that Clearview’s processing of biometric data, which is highly sensitive and specially protected under GDPR, lacked legal grounds and transparency, violating Articles 6, 9, and 12 of the regulation.

The DPA identified further breaches, including failure to meet transparency obligations, refusal to respond to data access requests and obstruction of individuals’ access rights under GDPR. These violations affected a significant number of people, including minors who require heightened protection. Despite previous sanctions from other EU authorities, Clearview continued its unlawful activities, demonstrating deliberate non-compliance. The DPA issued compliance orders with additional penalties to halt these violations. Chairman Aleid Wolfsen emphasized that facial recognition technology should not be exploited for commercial purposes and must be limited to authorised use under strict oversight.

Find the case summary and Judgement PDF at: Dutch DPA imposes a fine on Clearview because of illegal data collection for facial recognition

Article 9: Processing of special categories of personal data

Conclusion

If nothing else, these fines imposed on tech giants like LinkedIn and Uber to controversial entities like Clearview AI demonstrate that European regulators are deadly serious about enforcing GDPR. Violations ranging from intrusive monitoring systems and improper data transfers to mishandling biometric information reflect the diverse challenges organizations face in adhering to GDPR mandates. The fines, some of the largest ever imposed, highlight that even well-resourced organizations are not immune to accountability and emphasize the need for proactive compliance strategies. Companies must prioritize privacy as a core operational value, ensuring their practices align with regulatory expectations to mitigate risks and maintain trust with stakeholders.

We at Data Secure (DATA SECURE - Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com

For downloading various Global Privacy Laws kindly visit the Resources page in DPO India (dpo-india.com)