Nevertheless, breaches are serious and fines regularly run into hundreds of millions of euro with a record penalty smashing the billion threshold last year. This article looks back at the biggest fines of 2023.

In May 2023, Ireland’s Data Protection Commission imposed a record $1.2 billion fine on Facebook owner Meta. The mammoth penalty related to the transfer of European Facebook user data to the United States without sufficient protection from Washington’s intelligence agencies. Meta was also ordered to suspend the transfer of user data between the EU and the US within six months. Andrea Jelinek, Chair of the European Data Protection Board, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.” 

The Irish Data Protection Commission also slapped Meta with the second-highest penalty of 2023 when two fines were imposed on the company adding up to a collective €390 million. The decision was announced on 4 January 2023 with a €210 million fine relating to GDPR breaches by Facebook and a further €180 million penalty due to breaches by Instagram. Whereas Meta used to rely on users providing their informed consent to be served with personalised and behavioural advertisements, it later added a clause whereby users were effectively forced to agree that their data could be used, leading to the January 2023 fine.  

Irish regulators fined TikTok €345 million after an investigation found that the platform improperly processed children’s data. It examined the age verification aspect of the registration phase and the processing of children’s personal data between 31 July and 31 December 2020. The investigation found that videos posted to children’s user accounts were public by default while comments were also enabled by default. The Chinese-owned-platform said that it “respectfully disagreed” with the scale of the fine imposed.  

The UK’s Information Commissioner’s Office fined TikTok €14.5 million for failing to comply with data protection principles under the GDPR after allowed children under the age of 13 were allowed to create accounts on the platform. This was in violation of the GDPR’s requirement for organisations to obtain parental consent for the collection and processing of data from children under 13 yeas of age.  In addition to a lack of adequate measures to prevent children from accessing the platform, TikTok also failed to provide information to children about how their data would be collected and processed.  

Garante, the Italian Data Protection Authority, imposed a €10 million fine on Axpo Italia in late September 2023. The producer and trader of renewable energy products was penalized for processing outdated and inaccurate customer data, violating Articles 5(1)(a), 5(1)(d), 5(2), and 24 of the GDPR. It was found that Axpo acquired new electricity and gas contracts through a network of sales agents and sub-agents without having appropriate procedures in place to ensure the data corresponded to the actual users. On top of the fine, Garante ordered Axpo to adopt a series of corrective measures.   

WhatsApp was handed a €5.5 million fine by Ireland’s Data Protection Commission at the start of the year. The penalty was imposed after an individual complained about how the app asked users to agree to its updated terms of service when the GDPR came into effect. If they declined, they would no longer be able to access the service and the individual in question argued that users were being “forced” to consent to the processing of their personal data. While the fine was described as “administrative” and low in comparison to other financial penalties imposed on Meta’s services, WhatsApp nevertheless signalled that it would appeal the decision. Ireland’s regulator fined WhatsApp €225 million for transparency beaches in a previous case.  

In October 2023, Croatia’s data protection regulator announced that it imposed a €5.47 million fine on debt collection agency EOS Matrix for significant GDPR breaches. Action was taken after an anonymous petition alleged that EOS Matrix unlawfully processed the personal data of 181,641 individuals with outstanding debts with credit institutions. Among the GDPR breaches, it was found that EOS Matrix processed the data of individuals without a legal basis, failed to implement appropriate technical measures to protect personal data and failed to inform data subjects about their data being processed.   

Clearview AI added to its tally of serious GDPR breaches in 2022 with an additional €5.2 million fine in May 2023. CNIL, France’s data protection authority, levied a €20 million fine on the US company in October 2022, ordering it to cease the collection and processing of data on individuals located in France without any legal basis. It was given two months to comply and was threatened with further penalties if it failed to do so, costing €100,000 per overdue day. Clearview AI did not send any proof of compliance within the time limit, resulting in the €5.2 million fine being imposed. So far, the company has also been penalised by data protection authorities in the UK, Italy and Greece to the tune of tens of millions of euros. It remains unclear if these fines will ever be paid given the company’s persistent lack of cooperation with European regulators.