As the General Data Protection Regulation celebrates its 5th birthday, its application is characterised by numerous fines imposed on major American players. A look back at five eventful years.

GDPR Fine info

Coming into force on May 25th, 2018, GDPR is celebrating its fifth birthday. For many companies, the “encounter” with GDPR has resulted in hefty fines. Between May 2018 and 2023, the total number of financial sanctions amounted to 1641, for a total amount of 2.78 billion euros.

The three largest sanctions to date have concerned Amazon (746 million euros in 2021, at the initiative of Luxembourg), Meta Platforms Ireland Ltd, alias Meta IE (405 million euros in 2022, at the initiative of Ireland), and again Meta IE (265 million euros in 2018, again in Ireland).

Other companies have also been fined, but for smaller amounts. This is the case of British Airways (22 million euros in 2020), Marriott International (20 million euros in 2020), TikTok (14.5 million euros in 2023) and Vodafone Italia (12.2 million euros in 2020).

The three most penalising countries are Ireland (1.3 billion euros), Luxembourg (746 million euros) and France (428 million euros). In number of penalties, Spain climbed to the top step of the podium with 640 procedures, ahead of Italy (260 penalties) and Germany (148 penalties).

The main types of breaches are non-compliance with the general principles of data processing (1.6 billion euros), insufficient legal basis for data processing (431 million euros) and technical and organizational measures insufficient to ensure information security (377 million euros).

Finally, the sectors most affected by the sanctions are the media, telecoms and broadcasting sectors (1.7 billion euros), industry and commerce (858 million euros) and the transport and energy sectors (65 million euros).

France GDPR data

The CNIL very active in France

In France, the CNIL was also active. Since 2018, no less than 71 sanctions have been pronounced, for more than 500 million euros in fines. It should also be noted that 421 formal notices have been issued in five years.

The biggest penalties concern Google LLC (90 million euros in 2021), Google Ireland Ltd (60 million euros in 2021) and Facebook Ireland Ltd (60 million euros in 2021). Other companies have also been sanctioned, including Clearview Al Inc. (20 million euros in 2022, to which have been added 5.2 million euros in addition in April 2023), Carrefour France (2.25 million euros in 2020) et AG2R La Mondiale (1.75 million euros in 2021).

According to the 7th barometer of the AFCDP (French Association of Personal Data Protection Correspondents), published in March 2023, 41% of DPOs consider that there is still a long way to go before considering that personal data within their organization is well protected.


Multiple benefits for compliant companies

The implementation of GDPR has been done so far in financial pain, especially for large American platforms such as GAFAM. And yet, the benefits of GDPR compliance are multiple. Respecting the provisions of GDPR means respecting a large number of rights to which European citizens are now increasingly attached: the right to information, access, rectification, forget, data portability, etc. Complying with European regulations means initiating a process of restoring, then consolidating, the trust placed by customers and consumers in a company.

GDPR also allows organizations of any size, in any industry, to handle only the data essential to their business. GDPR notably prevents the use of sensitive data such as health data, political opinions, religious or philosophical beliefs or even a person’s trade union membership.

In summary, GDPR – when it is correctly applied – allows the company to better manage risks, in particular preventing it from exposing itself to unnecessary financial and reputational risks.