The Top 6 GDPR Fines & The Importance of Data Privacy

The Top 6 GDPR Fines & The Importance of Data Privacy

In response to the continuous mishandling of consumer data by companies and the ongoing threat of cyberattacks and data breaches exposing people’s personally identifiable information (PII), legislative bodies around the world are placing a strong focus on the issues of data privacy, data protection and giving consumers control over their own data.

The most well-known (and considered to be the most strict) data privacy and security law is the General Data Protection Regulation (GDPR), which launched in the European Union (EU) in 2018 but applies to any organization that interacts with or handles the data of people within the region. The EU is not alone. New privacy regulations are being introduced and enforced around the world, and the United States is no exception.

Data Privacy Laws in the United States

While the US has different laws regarding specific privacy issues (e.g., HIPAA), there isn’t, as of yet, an all-encompassing data privacy law that covers all privacy-related data and concerns. A comprehensive consumer privacy act has been introduced in Congress, but it has yet to move forward. It is therefore at the discretion of individual states to introduce and enforce these data privacy laws themselves in order to regulate companies and their handling of consumer data. Numerous states have laws that apply to an aspect of data privacy rather than a law that is all-encompassing; Illinois for example, has BIPA which focuses on individuals’ biometric data privacy. While many states have introduced legislation, only three, as of today, have passed and implemented comprehensive state data privacy laws—California enacted the CCPA, Virginia the VCDPA and Colorado the CPA.

While California’s CCPA (and its follow-up CPRA amendment) is considered to be the strictest of the state privacy acts, there are still concerns about the overall effectiveness of these state laws when it comes to how protected consumer data actually is and of regulating companies on a wide scale. In the case of California, while some companies have faced civil lawsuits, no fines have been publicly announced yet.

Top 6 GDPR Fines for Data Privacy Violations

As companies are investigated for violating different privacy standards, some are facing significant fines for non-compliance in countries where they operate (regardless of where they are headquartered), especially when it comes to the EU and GDPR.

As more consumers spend time and transact online and with the growing focus on how companies protect and use consumer data, more organizations are likely to find themselves facing legal and/or financial consequences. This is especially true of tech companies. This includes, but is not limited to, the mishandling of people’s data or not reporting data breaches and cyberattacks. Companies that violate privacy laws can—and already have—face significant fines, and the scope of violations and the price tags of said fines continue to grow.

In 2020 alone, GDPR fines totaled more than €306 million (approx. $347 million) from EU countries. And according to a recent Finbold report, the GDPR-related fines for 2021 are at least three times higher than the prior year.

There are numerous GDPR data protection violations and the accompanying costly fines, too many to list here, but some of the top GDPR fines according to GDPR Enforcement Tracker include:

  1. Amazon Europe Core S.à.r.l. (2021): fined €746 million (approx. $865 million) by Luxembourg for “non-compliance with general data processing principles”
  2. WhatsApp Ireland Ltd. (2021): fined €225 million (approx. $254 million) by Ireland for “insufficient fulfillment of information obligations”
  3. Google LLC (2019): fined €50 million (approx. $56 million) by France for “insufficient legal basis for data processing”
  4. H&M Hennes & Mauritz Online Shop A.B. & Co. KG (2020): fined €35.2 million (approx. $39 million) by Germany for “insufficient legal basis for data processing”
  5. TIM (2020): fined €27.8 million (approx. $31 million) by Italy for “insufficient legal basis for data processing”
  6. British Airways (2020): fined €22 million (approx. $24 million) by the United Kingdom for “insufficient technical and organizational measures to ensure information security”

The Importance of Data Privacy

Fraudsters are using all the tactics in their arsenal to steal consumer information, including cyberattacks, phishing and social engineering, to name a few.

While consumers need to be aware and cautious of where, how and with whom they share their information when online, companies also have a responsibility to have the proper protective and advanced cybersecurity measures in place to protect sensitive data. Without it, consumer PII is likely to be illicitly accessed and then used nefariously—likely for financial gain—by fraudsters looking to portray themselves as “trustworthy” customers through fraudulent means such as identity theft and synthetic identity fraud.

Thus, having privacy and data protection as cornerstones of an organization’s operational framework will be key. More so, having effective identity verification and Know Your Customer (KYC) solutions during onboarding and throughout the customer lifecycle is crucial for businesses looking to prevent fraud, mitigate risk, establish trust and protect consumer PII.

With the increasing importance of privacy and data protection, especially in efforts to combat pervasive fraud, one can hope that the significant financial consequences will spur companies, of all sizes and in all industries, to take the issue of data privacy more seriously.


Learn more about how the right digital identity model can help mitigate risk and establish trust in our white paper here.

* GDPR Fines Source: CMS.Law GDPR Enforcement Tracker


Let's Talk Support