GDPR at 6: a look at the regulation that has levied huge fines at the the likes of Amazon and Meta (2024)

FAQs

GDPR at 6: a look at the regulation that has levied huge fines at the the likes of Amazon and Meta? ›

Some of the largest fines include Amazon's €746 (then US$877 million) in 2021, for an alleged data breach that exposed customer data; Meta was hit with a record-breaking €1.2 (US$1.29bn) fine in 2023 for mishandling people's data when transferring it between Europe and the us.

Brussels, 22 May - Following the EDPB's binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA).

GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm's annual revenue from the preceding financial year, depending on which amount is higher.

1. Amazon — €746 Million ($823.9 Million) This fine isn't just the highest GDPR fine of 2021 — it's also the single highest GDPR fine ever issued.

General Data Protection Regulation (GDPR)

Fine income

The ICO is also able to retain specified amounts of the funds paid in response to the Civil Monetary Penalties (CMPs) we issue under data protection law and the privacy and electronic communications regulations. Each year, the income from these fines is passed to the Government's Consolidated Fund.

Background. In the summer of 2023, the Court of Justice of the European Union found that Meta's use of “contractual necessity” as their lawful basis for the processing of EU user's personal data for behavioral advertising to be in violation of GDPR.

Yes, businesses can get GDPR fines even if they are not based in the European Union. The fines for non-EU companies are the same as for companies from the EU member states. Data protection laws do not care where you are from. If the GDPR applies to you and you don't comply, you are threatened with a fine.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).

Who collects GDPR fines? ›

Under the GDPR, fines are administered by the data protection regulator in each EU country.

For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.

Impact of the fine

The EUR 1.2 billion fine was the largest ever imposed under the GDPR, demonstrating the seriousness of Meta's violations.

Now, in the 5th edition of the GDPR Enforcement Tracker Report, with a cut-off date of 1 March 2024, a total number of 2,086 fines (+510 in comparison to the GDPR Enforcement Tracker Report 2023) have been recorded in the CMS Enforcement Tracker database (2,225 if fines with limited information on amount or date are ...

A data controller sent paperwork to a child's birth parents without redacting the adoptive parents' names and address. After discovering the breach, the data controller did not inform the adoptive parents.

For tier 1 violations, up to 2% of annual revenue or €10 million, whichever is greater. For tier 2 violations, up to 4% of annual revenue or €20 million, whichever is greater. The tier 1 fines are applicable for violations related to: Collecting personal data of children without parental consent.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

The maximum fine for a GDPR violation is 4% of the organisation's global annual turnover or €20 million, whichever is higher. This means that even a small business could be fined millions for a GDPR violation. Data breaches also have other negative consequences for small businesses: Damage to reputation.