The state of enforcement of the European Union’s main data protection regime, the General Data Protection Regulation (GDPR), among the most powerful tech giants continues to be a subject of ongoing debate. Below we’ve compiled a list of the 10 highest GDPR fines imposed on Big Tech since the regulation came into force in May 2018.

Meta, owner of Facebook, Instagram and WhatsApp, tops the list, with both companies receiving the largest single fine to date (1.2 billion euros, or around 1.31 billion US dollars at the current exchange rate). And because it is responsible for the majority of these largest penalties (six or more, depending on whether you count per platform).

Please note that this list only includes the serious penalties imposed on tech companies under the GDPR. There have also been some significant sanctions imposed on Big Tech in recent years under the bloc’s older ePrivacy Directive, but these are not included here.

Penalties for technology companies under the GDPR

1. Meta (Facebook): In May 2023, the company was fined €1.2 billion (about $1.31 billion) by the Irish Data Protection Commission (DPC) for violating rules on the transfer of personal data of Facebook users from the European Union.

2. Amazon: In July 2021, the company was fined €746 million (about $815 million) by Luxembourg’s National Data Protection Commission (CNPD) following complaints that its use of personal data for targeted ads was not based on your consent.

3. Meta (Instagram): In September 2021, the Irish Data Protection Authority was fined €405 million (approximately $443 million) for failings in handling data of minors.

4. Meta (Instagram and Facebook): In January 2023, the Irish Data Protection Authority was fined a total of €390 million (approximately $426 million) for not having a valid legal basis for processing user data for targeted ad targeting.

5. ByteDance (TikTok): In September 2023, the Irish Data Protection Commission was fined €345 million (approximately $377 million) for failings in handling the data of minors.

6. Meta (Facebook and Instagram): In November 2022, the Irish Data Protection Authority was fined €265 million (about $290 million) for data protection violations through privacy-friendly defaults and design after certain platform features, including contact importer and search tools, made the personal data of hundreds of millions of users visible to all other users.

7. Meta (WhatsApp): In September 2021, the Irish data protection authority DPC was fined €225 million (about $246 million) for violating GDPR transparency obligations and failing to make it clear to users how their data was being processed.

8. Alphabet/Google (Android): In January 2019, the company was fined €50 million (about $55 million) by the French National Commission for Informatics and Freedom (CNIL) for transparency and consent violations related to its Android mobile platform.

9. Meta (Facebook): In March 2022, the Irish Data Protection Commission (DPC) was fined €17 million (approximately $18.5 million) for a series of security breaches allegedly affecting up to 30 million users.

10. ByteDance (TikTok): In April 2023, the UK’s Information Commissioner’s Office (ICO) was fined around €14.8 million (approximately $16 million at the current exchange rate) in another case related to the protection of minors. (Note: Although the UK is no longer in the EU, its data protection rules are still based on the GDPR.)

Not necessarily Big Tech, but worth mentioning

Adtech giant Criteo was hit with a provisional fine of €60 million (about $65 million) by France’s CNIL in August 2022 for a series of GDPR violations. However, in June 2023, the amount of the penalty was reduced to €40 million (about $44 million) after the adtech giant objected. The enforcement followed complaints that Criteo did not have users’ consent to track and profile them for ad targeting.

Another bonus mention: US AI startup Clearview AI was fined the maximum possible (20 million euros, or around $22 million based on its turnover) three times in 2022 by data protection authorities in Italy, Greece and France. The sanctions were for unlawful data processing due to the tactic of digging up selfies from the internet to train an AI facial recognition and ID matching tool. That same year, the UK’s ICO hit the company with a lesser fine for GDPR violations, so the controversial startup’s activities attracted a lot of prosecution.