The Biggest GDPR Fines of 2022

Nevertheless, breaches are serious and financial penalties can add up to hundreds of millions of euro. This article looks at the biggest fines of 2022.  

The highest GDPR fine of 2022 was levied against Meta-owned social networking platform Instagram by the Irish Data Protection Commission. The €405 million sum is also the second-highest fine under GDPR after Amazon’s €746 million penalty in 2021. It is intended to punish Meta due to Instagram violating children’s privacy through the publication of email addresses and phone numbers. The platform allowed children aged between 13 and 17 to use business accounts where both the email addresses and phone numbers could be accessed. In addition, the accounts were not set to private by default and they could be viewed by the public in some instances.

The Irish Data Protection Commission also slapped Meta with the second-highest penalty of 2022 when the company was fined €265 million. An investigation was opened last year when it was reported that data on more than 533 million users was dumped online containing names, Facebook IDs, email addresses and phone numbers of people across more than 100 different countries. The company stated that it cooperated fully with the investigation and made changes to its systems to prevent unauthorised data scraping in the future.

American facial recognition company Clearview AI was fined €20 million by the Italian Privacy Regulator (Garante per la Protezione dei Dati Personali). The company gathers selfies on the internet and adds them to its database of around 10 billion faces to create an identify-matching services which it sells in sectors such as law enforcement. Along with the fine, the Italian authorities ordered the company to delete any data it holds on Italians and banned it from processing more of their facial biometrics.

Clearview AI added to its tally of serious GDPR breaches in 2022 with a €20 million fine in France. One year after the company failed to respond to an order from CNIL (the French data protection authority) to stop unlawfully processing the information of French citizens and to delete any existing data, it was hit with the penalty. So far, Clearview has handled all of these penalties in the same way – refusal to cooperate with regulators outside the US. So far, the company has denied all allegations and claimed foreign regulators do not have jurisdiction over its business.

After an inquiry into 12 data breach notifications received over a six-month period in 2018, the Irish Data Protection Commission fined Meta €17 million for breaching Articles 5(2) and 24(1) of the GDPR. It found that the company did not have appropriate technical and organizational measures in place to enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data in the context of the breaches. The decision marked the first time that Article 60 of the GDPR requiring all European supervisory authorities to act as co-decision makers has been used to resolve a data protection case.

Another familiar entry on the 2022 top-10 list, Clearview AI also fell foul of the UK’s data protection watchdog, though the penalty was lower than the sum imposed by the authorities in Italy, Greece and France. After a string of breaches of local privacy laws, Clearview AI was fined approximately €8 million by the Information Commissioner’s Office and ordered to stop obtaining and processing the personal data of UK residents publicly available online. It was also ordered to delete any existing information from its systems.

At the beginning of 2022, Austria’s data protection authority imposed an €8 million fine on supermarket chain Rewe for breaching the GDPR. It relates to data protection violations in the company’s Austrian customer loyalty programme, the Jö Bonus Club. The same programme was already hit with a €2 million fine in 2021 when 2 million customers were allegedly not properly informed about the further use of their data. Rewe has announced that it will appeal against the latest fine.

On 31 January 2022, the Hellenic Data Protection Authority fined Cosmote Mobile Telecommunications, the largest mobile operator in Greece, €6 million after a reported data breach. After attackers managed to steal the personal data of Cosmote customers in 2020, the HDPA investigated the circumstances of the incident, concluding that proper data protection measures had not been implemented, that the severity of the breach was not explained to the individuals impacted and that the parent company – the Hellenic Telecommunications Organisation (OTE Group) – had not been included in the investigation. Due to multiple GDPR breaches, the HDPA issued the €6 million fine for Cosmote, along with a further €3.2 million fine for the OTE Group.