Back to blog
FinesJanuary 2024 · 7 min read

The Biggest GDPR Fines Ever Issued (Updated 2024)

Since GDPR came into force in May 2018, regulators have issued over €4.2 billion in fines. Here are the top cases — and what violations caused them.

Key takeaway

The most common violations in large fines: cookie consent failures, data transfers without safeguards, and lack of transparency. All three are detectable and fixable.

1

Meta (Facebook)

€1,200,000,000
DPC Ireland·2023

Illegal transfer of EU user data to US servers without adequate safeguards (GDPR Article 46).

2

Amazon

€746,000,000
CNPD Luxembourg·2021

Non-compliant cookie consent system — users could not effectively refuse tracking.

3

Instagram (Meta)

€405,000,000
DPC Ireland·2022

Children's data exposed publicly; phone numbers and emails visible on business accounts owned by minors.

4

WhatsApp (Meta)

€225,000,000
DPC Ireland·2021

Lack of transparency about how user data was shared between WhatsApp and other Meta companies.

5

Google (France)

€150,000,000
CNIL France·2022

Cookie refusal mechanism was too complex — users could accept in one click but needed multiple steps to refuse.

6

Facebook (France)

€60,000,000
CNIL France·2022

Same as Google — cookie accept easier than reject, violating consent requirements.

7

Google (Spain)

€10,000,000
AEPD Spain·2022

Transferred personal data of users who had deleted their accounts to third parties for advertising purposes.

8

H&M

€35,258,708
DPA Hamburg·2020

Extensive monitoring of employees' private lives, storing data about illnesses, religious beliefs and family issues.

9

TikTok

€345,000,000
DPC Ireland·2023

Processed children's data with default public profile settings and without parental consent mechanisms.

10

Twitter / X

€450,000,000
DPC Ireland·2023

Failed to implement adequate security measures — a bug exposed private tweets of millions of users.

The pattern: what causes the biggest fines?

Cookie consent dark patterns account for 3 of the top 10 fines. Regulators are especially focused on banners that make it harder to reject than to accept.

Children's data is a major enforcement priority — TikTok and Instagram both received nine-figure fines for exposing minors' data without adequate protections.

International data transfers remain contentious. Meta's record €1.2B fine was entirely about sending EU user data to US servers under invalidated Privacy Shield agreements.

Check if your site has the same issues

Our free scanner checks for cookie consent problems, missing privacy policies, and 5 other GDPR requirements in 60 seconds.

Scan my site free →

Fine amounts sourced from public DPA decisions. This article is for informational purposes only and does not constitute legal advice.