The GDPR gives data protection authorities (DPAs) the power to impose an administrative fine of up to 4% of a company’s annual turnover or € 20 million if they violate the GDPR, depending on which sum is higher.
The purpose of these fines is to deter similar infringements in the future. Although a noyb study found that they are among the most effective enforcement tools available to authorities, significant fines for GDPR violations are extremely rare. The fines go to the country where the proceedings take place, which almost always the country where the fined company has its headquarters.
Since 2018, the following fines have been imposed on the basis of noyb complaints:
€ 1.2 billion fine for Meta over EU-US data transfers
At the end of 2023, Meta was fined € 1.2 billion and ordered to stop transferring Europeans’ personal data to the United States. The company is subject to US surveillance laws such as FISA 702, which allows the US government to spy on non-US citizens without probable cause or judicial approval.
This contradicts EU law, which requires “essentially equivalent” protection for data transferred outside the European Union. US companies like Meta can’t meet this requirement. This also was confirmed by the European Court of Justice decision to annul both the “Safe Harbor” and “Privacy Shield” agreements in its Schrems I and Schrems II rulings in 2015 and 2020 respectively.
Meta has ignored these judgements for the last years, resulting in the € 1.2 billion fine and an order to return all personal data to its EU data centres.
Meta fined € 395 million and banned from using personal data for ads
Following a binding decision by the European Data Protection Board, the Irish Data Protection Authority (DPC) fined Meta a total of € 395 million for violations on Facebook, Instagram and WhatsApp in January 2023. In addition, the social media giant was banned from using personal data for advertising without asking its users for consent.
The decision follows two complaints filed by noyb on behalf of one Austrian and one Belgian user on 25 May 2018, meaning that it took the competent authority (the DPC) four and a half years to reach a decision after the EDPB had overturned its first draft decision in December 2022.
Google fined € 50 million over forced consent
When the GDPR came into force on 25 July 2018, noyb filed complaints against Google, Instagram, WhatsApp and Facebook for forcing its users to accept updated privacy policies that allowed them to circumvent the new privacy law.
While three of these complaints embarked on a year-long journey full of non-compliance, the case against Google was resolved in June 2019: the French data protection authority (CNIL) fined the tech company € 50 million, which at the time was the highest fine ever for a privacy violation.
Advertising company CRITEO fined € 40 million
At the end of June 2023, the French data protection authority (CNIL) fined CRITEO, a leading European online advertising and tracking company, € 40 million for violating data subject rights and failing to prove that it had obtained valid consent.
The decision followed a complaint filed by noyb and Privacy International in December 2018, which targeted the lack of an adequate option to withdraw consent. The complaint triggered an extensive investigation by the CNIL, which widened the scope to other areas and found additional GDPR violations, including lack of transparency and a failure to comply with the right to erasure and the right of access.
Dating app Grindr fined € 5.8 million
In 2020, noyb teamed up with the Norwegian Consumer Council (NCC) to file a complaint against the LGBTQ+ dating app Grindr for illegally sharing personal user data with hundreds of potential advertising partners. Users were not properly informed, and the consent was not specific enough: Users had to agree to the entire privacy policy and not to a specific processing operation, such as the sharing of data with other companies. The DPA also emphasised that users must be able to refuse consent without negative consequences.
The Norwegian authority’s decision originally imposed a fine of almost € 10 million on Grindr. Following an appeal, the fine was reduced to a final amount of € 5.8 million in September 2023.
Spotify fined € 5 million
Following a noyb complaint and litigation over inaction, the Swedish Data Protection Authority (IMY) has fined Spotify 58 million Swedish Crown (about € 5 Million) in June 2023. The music streaming service didn’t fully comply with the GDPR’s obligation to give users access to all their data, as well as information about how their data is being used. The complaint was already filed in 2019, and was not decided for more than four years.
First major fine for using Google Analytics
Following noyb’s 101 complaints on unlawful EU-US data transfers from 2020, the Swedish data protection authority (IMY) issued the first major fine for using Google Analytics in July 2023. Although many other European authorities (such as. Austria, France and Italy) have already found the use of Google Analytics to violate the GDPR, this is the first fine imposed on companies for using Google Analytics, despite the CJEU's rulings on EU-US data transfers.
Telecommunications provider Tele2 was ordered to pay the equivalent of € 1 million (12 mio SEK), while the online retailer CDON had to pay SEK 300,000.
Maltese IT company fined € 65,000 over data leak
Following a massive data leak of Maltese voters’ data in 2020, noyb cooperated with the Daphne Foundation and Repubblika to file complaints against the data broker C-Planet. The leaked personal information included phone numbers, dates of birth, voting intentions and political leanings of more than 330,000 individuals.
In 2022, the Information & Data Protection Commissioner (IDPC) concluded that C-Planet had failed to implement technical and organisational measures appropriate to the risk and fined the IT company € 65,000. The decision also confirmed that C-Planet failed to notify the IDPC of the data breach and to inform the individuals affected in a timely manner.