As we arrive at International Data Privacy Day in 2023 (Jan 28), let’s look at the most significant privacy fines issued by the European Data Protection Board over the last 5 years! For information cited in the various articles below, check out the GDPR repository.

Some big trends in the top five below are that Meta is constantly making mistakes, the Irish Data Protection Agency (DPA) is very strict and swift in its decisions, and articles 5, 12, 13, and 25 were the most-referenced GDPR articles in these decisions. On a bonus note, Google LLC was responsible for the sixth-highest fine of €90 Million, levied by the French Data Protection Authority. The variance between the fifth and sixth-highest fines is more than double the sixth-highest fine!

1. July 16, 2021: In a quarterly report, Amazon.com Inc. announced that the DPA from Luxembourg had fined its European arm for failing to process personal data in compliance with the GDPR. Of course, Amazon believes the decision by the National Commission for Data Protection to be without merit. The decision has not been finalized and the articles cited are not currently available (as of this writing).
   • Amount: €746 Million
2. September 5, 2022: The Irish DPA (DPC) fined Meta Platforms, Inc (Instagram). The draft submitted by the DPC revealed that on Instagram, the business accounts of minors, their cell phone numbers, and email addresses were publicly displayed. In addition, the settings for those minors’ accounts were set to “public” by default, making their social media content publicly viewable, along with their personal information, unless they took action to change their settings. This potentially affects millions of minors. Articles cited in the draft are 5, 6, 23, 24, 25, and 35.
   • Amount: €405 Million
3. January 4, 2023: The Irish DPA (DPC) fined Meta Platforms Ireland for violations of the provisions of its Facebook and its Instagram services. In a complaint filed by the Austrian organization “None of Your Business” (NOYB), the organization alleged that Meta’s updated terms of service changed the legal basis for processing personal data in the context of behavioral advertising and other personalized services. In order to continue using the services, users should accept the terms and conditions, which Meta used to obtain consent for targeted advertising. Additionally, the DPA found that Meta was not allowed to rely on this action from the consumer to process data for targeted advertising. This dark pattern is would fall into the “Rewards and Punishment” category since users wouldn’t be able to use the service unless they accept, probably blindly, the terms and conditions that are littered with legal jargon an average consumer wouldn’t understand. The DPA also ordered Meta to bring its processing practices into GDPR compliance within three months of this ruling. Articles cited in this ruling are 5, 6, 12, and 13.
   • Amount: €390 Million
4. November 25, 2022: The Irish DPA launched an investigation against Meta in 2021 after a dataset containing personal information from Facebook had been made available on a hacking platform. This leak affected approximately 533 million individuals, having their personal phone numbers and email addresses exposed. A breach of article 25 was identified during the investigation, leading to the fine and ruling.
   • Amount: €265 Million
5. September 2, 2021: The Irish DPA (DPC) fined WhatsApp Ireland Ltd. after an extensive investigation into the messaging service’s compliance with transparency obligations under GDPR regarding the provision of information to users and non-users of the application. The DPC found that articles 12, 13, and 14 were seriously violated. Users often had to overcome multiple FAQs, search the website for information unreasonably, and information was not presented in a clear and understandable way. The privacy notice didn’t include all relevant information related to data collection, processing, and how users may access that information and request its deletion from the application. Given the far-reaching violations, the DPC also concluded that article 5 was also violated by the messaging service.
   • Amount: €225 Million

Happy International Data Privacy Day!

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.