The Biggest GDPR Fines Ever Issued (Updated 2026)
Since GDPR came into force in May 2018, regulators have issued over €7.1 billion in fines across 2,800+ decisions. Here are the top cases — and what violations caused them.
Key takeaway
The most common violations in large fines: cookie consent failures, data transfers without safeguards, and lack of transparency. All three are detectable and fixable.
Meta (Facebook)
Unlawful transfer of EU/EEA Facebook user data to US servers without adequate safeguards, after the CJEU Schrems II ruling invalidated Privacy Shield. Violation of Article 46(1) GDPR.
Amazon
Unlawful processing of personal data for behavioural advertising without a valid legal basis, including violations of cookie consent and transparency obligations. Fine upheld on appeal in March 2025.
TikTok
Unlawful transfer of EEA user data to China without verifying that SCCs provided equivalent protection, and failure to be transparent with users about data transfers to China. TikTok also disclosed data had actually been stored on Chinese servers contrary to its own evidence.
Instagram (Meta)
Publicly exposed contact details of child users who switched to business accounts, and set all accounts — including minors' — to public by default. Violations of Articles 5, 6, 12, 24, and 25 GDPR.
Meta (Facebook & Instagram)
Unlawful reliance on "contractual necessity" as legal basis for processing personal data for behavioural advertising on Facebook (€210M) and Instagram (€180M). Fine followed an EDPB binding decision.
TikTok (children's data)
Accounts set to public by default, dark patterns discouraging privacy settings, and allowing unverified adults to contact minors via Family Pairing. Violations of Articles 5, 12, 13, 24, and 25 GDPR.
Google LLC / Google Ireland
Inserting ads between Gmail messages without valid consent (~53M French users), and placing advertising cookies during Google account creation without consent (~74M accounts). Repeat offender — previously fined by CNIL in 2020 and 2021.
Processing EU/EEA members' personal data for behavioural analysis and targeted advertising without a valid lawful basis. LinkedIn unlawfully relied on legitimate interests, consent, and contractual necessity to justify ad targeting.
Uber
Transferring European taxi drivers' sensitive personal data — including identity documents, criminal records, and medical data — to Uber's US headquarters for over two years without appropriate safeguards. Violation of Article 44 GDPR.
Meta (Facebook data scraping)
Failure to implement privacy by design and default, which allowed scraping tools to compile a dataset of 533 million Facebook users' names, phone numbers, and email addresses that was later published online.
The pattern: what causes the biggest fines?
Cookie consent dark patterns account for 3 of the top 10 fines. Regulators are especially focused on banners that make it harder to reject than to accept.
Children's data is a major enforcement priority — TikTok and Instagram both received nine-figure fines for exposing minors' data without adequate protections.
International data transfers remain contentious. Meta's record €1.2B fine was entirely about sending EU user data to US servers under invalidated Privacy Shield agreements.
Check if your site has the same issues
Our free scanner checks for cookie consent problems, missing privacy policies, and 5 other GDPR requirements in 30 seconds.
Scan my site free →Fine amounts sourced from public DPA decisions. This article is for informational purposes only and does not constitute legal advice.