The biggest fines in GDPR history and why they happened

In 2018 the General Data Protection Regulation (GDPR) was introduced into European and UK domestic law. In this blog Clive Mackintosh, Founder of GDPR Rep takes a look at some of the largest fines to date and consider what lies next for firms facing the imposition of administrative fines.

Back in May 2018 it’s fair to say there were firms across Europe and the UK that simply had not heard of the GDPR and even if they had then they were certainly not prepared for responding to a very prescriptive and onerous regulation requiring the implementation of highly technical and organisational measures on managing personal data security.

GDPR affects all businesses large and small but there are many household names on our list of big data breach fines which goes to show that simply being well-resourced, financially and operationally does not provide a safety net against the criminality of cyber intrusion or poor data protection compliance.

‍Google, fined €50m in 2019

Understood to be one of the first GDPR big data breach fines. In 2019 the French Data Protection Authority issued Google with a fine of €50m for failing to give consumers easy access to required data processing statements. The regulator was also unhappy with Google’s practice of not obtaining the express consent of its users to use their personal data for advertising promotions.

British Airways, fined €20m in 2020

In 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways £20m for what it described as British Airways' failure to put in place appropriate technical and organisational measures to protect the personal data processed on its systems and allowing users of its official website to be directed to a fraudulent site. 

Cyber criminals managed to hack British Airways’ systems and modified them to steal customers' details as they were being inputted. This led to over 400,000 cardholders’ data being exfiltrated. 

Marriott International Hotels, fined €18.4m in 2020

In 2020 the UK’s ICO also fined Marriott International £18.4m for failing to detect a cyber-attack that occurred to the IT systems and network of Starwood Hotels and Resorts Inc (Starwood) a company which Marriott had acquired back in 2014. 

The ICO found that Marriott had failed to implement appropriate security measures in compliance with the GDPR that allowed the cyber criminals to remain undetected and within Starwood’s IT systems between 2014 and September 2018 thus allowing around 300 million customers' personal data including names, dates of birth, credit card information and passport numbers to be accessed.

Meta Platforms Ireland Ltd (formally Facebook Ireland Ltd), fined €405m in 2022

In September 2022, the Irish Data Protection Commissioner issued Meta a €405 million fine for the unlawful processing of personal data relating to child users of Instagram. 

According to the Commissioner, Meta’s non-compliance with the GDPR concerning the processing of personal data of children by Facebook in the context of the Instagram social networking service, in relation to the operation by children of business accounts and certain default settings which were applied to children’s accounts. Put simply, Meta failed to have appropriate technical and organisational measures in place which would have prevented this unlawful processing.

Amazon, fined €746m in 2021

In what remains the largest GDPR fine to date, in 2021, the Luxembourg Data Protection Authority issued Amazon with an administrative fine of €746 million for unlawfully tracking user data without obtaining the express consent of their online users and for failing to provide a mechanism by which users could opt out from Amazon’s tracking of their personal data.

What all this tells us

The GDPR sets a maximum fine of €20million (£18 million UK sterling) or 4% of an organisation’s global turnover – whichever is greater, for the more serious breaches of the regulation.

DPA’s across Europe including the UK’s ICO will continue to issue substantial monetary fines to organisations that fail to implement and embed adequate data protection compliance either by design or default into their technical and operational processes specifically in relation to securing and maintaining confidentiality, integrity, and availability (CIA) of an individual’s personal data processing.

GDPR Rep is on a mission to help every business achieve and maintain GPDR representation. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.