What is GDPR Fines & Enforcement?
The penalties imposed under the EU's General Data Protection Regulation, which can reach up to 4% of a company's global annual revenue — with over €4.5 billion in total fines issued since 2018, including record penalties against Meta, Amazon, and Google.
Also known as: GDPR Penalties, GDPR Enforcement, Data Protection Fines
GDPR isn't just words on paper — it has real teeth. Over €4.5 billion in fines have been issued since 2018, and the largest penalties target the biggest companies.
Largest GDPR Fines
| Company | Fine | Year | Reason |
|---|---|---|---|
| Meta (Ireland) | €1.2 billion | 2023 | Transferring EU data to US without adequate protections |
| Amazon (Luxembourg) | €746 million | 2021 | Ad targeting without proper consent |
| Meta/Instagram (Ireland) | €405 million | 2022 | Children's data handling |
| Meta/Facebook (Ireland) | €390 million | 2023 | Forced consent for personalized ads |
| Meta/WhatsApp (Ireland) | €225 million | 2021 | Transparency failures |
| Google (France) | €150 million | 2022 | Cookie consent violations |
| H&M (Germany) | €35 million | 2020 | Employee surveillance |
| British Airways (UK) | €22 million | 2020 | Data breach (originally proposed €204M) |
| Marriott (UK) | €20 million | 2020 | Starwood data breach |
| Clearview AI (multiple) | €20M+ | 2022 | Scraping biometric data without consent |
How Fines Are Calculated
Two Tiers
- Tier 1: Up to €10 million or 2% of global annual turnover (whichever is higher)
- Tier 2: Up to €20 million or 4% of global annual turnover (whichever is higher)
Factors Considered
- Nature, gravity, and duration of the violation
- Number of people affected
- Whether it was intentional or negligent
- Steps taken to mitigate damage
- History of previous violations
- Cooperation with authorities
Why Enforcement Matters
Before GDPR
Privacy violations were treated as a cost of doing business. Fines were trivial compared to the revenue generated by data exploitation.
After GDPR
- A 4% fine on Meta's $135 billion revenue would be $5.4 billion — a real deterrent
- Companies have hired thousands of Data Protection Officers
- Privacy teams have budget and board-level attention
- Product decisions now consider GDPR compliance from the start
The Enforcement Gap
Despite large headline fines, critics note:
- Ireland (where Meta, Google, Apple, and TikTok are headquartered in the EU) has been criticized for slow enforcement and industry-friendly decisions
- Most fines are still small relative to company revenue
- Appeals processes can take years
- Many companies simply factor fines into operating costs
Related Terms
CCPA
The California Consumer Privacy Act grants California residents rights over their personal information, including the right to know what data is collected, delete it, opt out of its sale, and not be discriminated against for exercising these rights.
CPRA (California Privacy Rights Act)
A 2020 California ballot measure that significantly strengthened the CCPA by creating a dedicated enforcement agency, adding rights to correct and limit data use, introducing the concept of 'sensitive personal information,' and establishing the California Privacy Protection Agency.
Data Breach
A security incident where protected, sensitive, or confidential data is accessed, stolen, or exposed by unauthorized individuals. Data breaches can result from hacking, insider threats, lost devices, or misconfigured systems.
GDPR
The General Data Protection Regulation is a comprehensive data protection law in the European Union that gives individuals control over their personal data. It establishes strict requirements for how organizations collect, process, store, and transfer personal information.
Surveillance Capitalism
An economic system where personal data is systematically collected, analyzed, and sold to predict and influence human behavior for profit.
Have more questions?
Use our guided flow to get the right next privacy step for GDPR Fines & Enforcement.
Open Guided Flow