The Biggest GDPR Fines of 2022
The financial penalties for breaching the GDPR can be staggering, running into hundreds of millions of euro.
Europe’s General Data Protection Regulation (GDPR) contains hundreds of pages’ worth of requirements and it is considered one of the toughest privacy and security laws globally. In effect since May 25, 2018, the regulation imposes obligations on organisations anywhere in the world as long as they target or collect data related to people in the EU.
The scale and complexity of the GDPR has turned it into a daunting prospect for compliance departments, though the availability of innovative software solutions has helped ease the burden.
Nevertheless, breaches are serious and financial penalties can add up to hundreds of millions of euro. This article looks at the biggest fines of 2022.
1. Meta – €405 million (Ireland)
The highest GDPR fine of 2022 was levied against Meta-owned social networking platform Instagram by the Irish Data Protection Commission. The €405 million sum is also the second-highest fine under GDPR after Amazon’s €746 million penalty in 2021. It is intended to punish Meta due to Instagram violating children’s privacy through the publication of email addresses and phone numbers. The platform allowed children aged between 13 and 17 to use business accounts where both the email addresses and phone numbers could be accessed. In addition, the accounts were not set to private by default and they could be viewed by the public in some instances.
2. Meta – €265 million (Ireland)
The Irish Data Protection Commission also slapped Meta with the second-highest penalty of 2022 when the company was fined €265 million. An investigation was opened last year when it was reported that data on more than 533 million users was dumped online containing names, Facebook IDs, email addresses and phone numbers of people across more than 100 different countries. The company stated that it cooperated fully with the investigation and made changes to its systems to prevent unauthorised data scraping in the future.
3. Clearview AI Inc. – €20 million (Italy)
American facial recognition company Clearview AI was fined €20 million by the Italian Privacy Regulator (Garante per la Protezione dei Dati Personali). The company gathers selfies on the internet and adds them to its database of around 10 billion faces to create an identify-matching services which it sells in sectors such as law enforcement. Along with the fine, the Italian authorities ordered the company to delete any data it holds on Italians and banned it from processing more of their facial biometrics.
4. Clearview AI Inc. – €20 million (Greece)
In July 2022, the Hellenic Data Protection Authority (HDPA) also fined Clearview AI €20 million for violating multiple provisions of the GDPR. Civil nonprofit organisation Homo Digitalis filed a complaint on behalf of a data subject where it was alleged that Clearview AI failed to address her right to access processed personal data. The penalty represents the largest fine the HDPA has imposed throughout its history of operation. As in Italy, Clearview AI was also ordered to delete all data on subjects in Greece and has been banned from processing additional facial biometrics.
5. Clearview AI Inc. – €20 million (France)
Clearview AI added to its tally of serious GDPR breaches in 2022 with a €20 million fine in France. One year after the company failed to respond to an order from CNIL (the French data protection authority) to stop unlawfully processing the information of French citizens and to delete any existing data, it was hit with the penalty. So far, Clearview has handled all of these penalties in the same way – refusal to cooperate with regulators outside the US. So far, the company has denied all allegations and claimed foreign regulators do not have jurisdiction over its business.
6. Meta – €17 million (Ireland)
After an inquiry into 12 data breach notifications received over a six-month period in 2018, the Irish Data Protection Commission fined Meta €17 million for breaching Articles 5(2) and 24(1) of the GDPR. It found that the company did not have appropriate technical and organizational measures in place to enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data in the context of the breaches. The decision marked the first time that Article 60 of the GDPR requiring all European supervisory authorities to act as co-decision makers has been used to resolve a data protection case.
7. Google – €10 million (Spain)
AEDP, Spain’s data protection agency, levied its highest fine to date on Google for unlawfully disclosing personal data to an independent third-party research project. The €10 million penalty was imposed after the search engine giant was found to be passing the personal data of EU citizens who were requesting erasure of their data to the Lumen Project. The AEDP found that the content removal form Google provided to data subjects for exercising their right to be forgotten was confusing. Users requesting erasure were therefore not provided with a choice over their information being passed to the Lumen Project with Google frustrating their “right to be forgotten” under Article 17 of the GDPR.
8. Clearview AI Inc. – €8 million (UK)
Another familiar entry on the 2022 top-10 list, Clearview AI also fell foul of the UK’s data protection watchdog, though the penalty was lower than the sum imposed by the authorities in Italy, Greece and France. After a string of breaches of local privacy laws, Clearview AI was fined approximately €8 million by the Information Commissioner’s Office and ordered to stop obtaining and processing the personal data of UK residents publicly available online. It was also ordered to delete any existing information from its systems.
9. Rewe – €8 million (Austria)
At the beginning of 2022, Austria’s data protection authority imposed an €8 million fine on supermarket chain Rewe for breaching the GDPR. It relates to data protection violations in the company’s Austrian customer loyalty programme, the Jö Bonus Club. The same programme was already hit with a €2 million fine in 2021 when 2 million customers were allegedly not properly informed about the further use of their data. Rewe has announced that it will appeal against the latest fine.
10. Cosmote Mobile Telecommunications – €6 million (Greece)
On 31 January 2022, the Hellenic Data Protection Authority fined Cosmote Mobile Telecommunications, the largest mobile operator in Greece, €6 million after a reported data breach. After attackers managed to steal the personal data of Cosmote customers in 2020, the HDPA investigated the circumstances of the incident, concluding that proper data protection measures had not been implemented, that the severity of the breach was not explained to the individuals impacted and that the parent company – the Hellenic Telecommunications Organisation (OTE Group) – had not been included in the investigation. Due to multiple GDPR breaches, the HDPA issued the €6 million fine for Cosmote, along with a further €3.2 million fine for the OTE Group.
GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher.
Both the uptick in violations and mammoth fines levied in recent years highlight a growing lack of consent and transparency. Despite that worrying trend, it has been reassuring to see European regulators actively enforcing the law and imposing fines at a rate never seen before. Before 2021, the largest fine on record was levied in 2019 when Google was penalised €50 million for how it communicated privacy to its users as well as various data processing offences. That sum was dwarfed Amazon’s record €746 million fine in July 2021 and multiple penalties since then have also run into hundreds of millions of euro. It’s going to be interesting to see just how high the fines are going to get in 2023.
Browse the full list of GDPR violations
Key principles of establishing an effective ABC programme