The Biggest GDPR Fines of 2023

How our personal information is collected, stored, handled and processed is subject to strict laws and regulations. Chief among them is the General Data Protection Regulation, the GDPR. The GDPR governs information privacy procedures. It outlines what companies can and can’t do with your data.

The European Union introduced the GDPR on May 25, 2018. At that time, the UK had to abide by the rules of the EU’s GDPR. When the UK left the EU in 2020, it adopted the Data Protection Act 2018 (DPA 2018). With a few minor variations, the DPA 2018 is the same as the EU’s GDPR, which is why it’s known as the UK GDPR.

Like any law, breaking the UK GDPR has consequences. In our digital world, data is big business. Some of the most prominent and most influential companies worldwide are social media entities and online businesses. These companies have vast amounts of resources. GDPR fines must match the severity of the violation and the organisation’s financial capabilities to be effective deterrents. Otherwise, GDPR penalties will act as nothing more than the cost of doing business.

Because they are levied on some of the biggest companies on earth, GDPR fines can be massive. But how can you calculate what a GDPR breach should cost? There’s a unique formula used to calculate GDPR fines.

There are two main structures for GDPR penalties: the standard maximum penalty and the higher maximum penalty.

• The standard maximum amount that can be imposed for a GDPR breach is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
• The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

When calculating GDPR fines, authorities consider the following factors:

• What offences have been committed?
• What is the starting point and the upper limit of the fine?
• How high is the turnover of the business?
• Are there mitigating or aggravating circumstances?
• What is the maximum amount that could be applied?
• Will the fine act as a deterrent?

Despite the severity of GDPR fines, companies still regularly breach data privacy regulations. Some of the biggest offenders are names you probably encounter every day.

Meta is the owner of Facebook and is one of the most profitable companies in the world. It also faced mammoth GDPR fines in 2023. In January, the internet titan was slapped with two combined fines totalling €390 million issued by the Data Protection Commission of Ireland. €210 million was due to Facebook’s GDPR breaches and €180 million for Instagram’s GDPR breaches.

The second time in 2023 that Meta was hit with a GDPR fine was also from the Data Protection Commission of Ireland. And they weren’t kidding around this time. Meta faced a record GDPR penalty in May 2023 when authorities imposed a staggering US$1.2 billion fine on Meta for the unsafe transfer of European Facebook data to the United States. Meta was also forced to stop data transfers between the EU and the US for six months.

The hugely popular Chinese social media video site TikTok is widely considered to have problematic processes for protecting people’s data and privacy—so much so that the US government is now considering banning the site. One entity that might agree with this sentiment is once again the Data Protection Commission of Ireland. The Irish authority hit TikTok with a €345 million penalty due to improperly processing children’s data. In a released statement, TikTok stated that they “respectfully disagreed” with the severity of the fine.

The UK also levied a hefty €14.5 million penalty against TikTok because of its policies around children. TikTok was found to have violated the GDPR’s rules on parental consent and transparency.

While not as well-known as the first two examples, the French advertising firm Criteo earned its place on 2023’s list of GDPR offenders. The French Data Protection Authority (CNIL) fined Criteo €40 million for the company’s targeted advertising methods. The company appealed the harshness of the fine and eventually got it reduced by a third.

Under the GDPR, having the wrong information can be costly. The Italian Data Protection Authority (Garante) fined the energy supplier Axpo Italia S.p.A. €10 million. The company was found to have processed inaccurate and outdated customer data by signing people up for contracts without first checking that the data gathered matched their current information.

Garante certainly had its hands full in 2023. In addition to dealing with Axpo, Garante had to levy telecommunications company Tim S.p.A. with a €7.6 million GDPR fine. The telco was found to have breached a wide range of GDPR rules relating to its telemarketing activities.

In the UK, the Information Commissioner’s Office (ICO) oversees GDPR breaches and imposes fines. All monies collected by the ICO go straight to the UK Government’s Treasury Consolidated Fund and most of it comes right back to the ICO. Approximately 85% to 95% of the money generated by the fines issued by the ICO is sent back to the organisation by the government.

If you process or transmit data for personal reasons or as part of your regular household activities, then no, you can’t be held liable under the GDPR. But if you’re a self-employed person and you collect, handle, process and store data for business reasons, then yes. Self-employed people act as businesses and are subject to the GDPR.

You can also face GDPR penalties if you are guilty of breaking related national laws. This includes:

• Obstructing the ICO
• Making a false statement in response to an information notice
• Destroying or falsifying information and documents
• Altering personal data to avoid disclosure
• Disclosing personal data without consent
• Re-identifying de-identified information

While you can’t be sent to jail for breaching the GDPR, you can still face heavy penalties. Overall, it’s much better to follow the rules when it comes to personal data.

Almost every type of business uses digital technology to process personal information. If you’re not aware of your responsibilities, you could easily face a hefty GDPR fine.

On the bright side, complying with the GDPR is actually not that difficult. You don’t have to have a degree in computer science. All you need to know are a few basic principles of safe data handling.

Our GDPR Training course explains data handling essentials.

This training is beneficial for both business owners and their staff. It teaches participants exactly what the GDPR is, why it’s in place and how to enact data protection procedures in the workplace.