When the GDPR came into effect, there was a lot of discussion about the potential for huge ranging in the hundreds of millions or even billions.
But in the years since, there have been criticisms that regulators weren’t tough enough on enforcement—particularly against the “big tech” companies that hoover up the most personal data.
However, recent decisions by EU data protection authorities (DPAs) suggest that Europe’s data protection and privacy rules might finally be starting to bite.
In fact, the ten largest GDPR and ePrivacy Directive fines were all issued against “Big 5” tech companies: Google, Microsoft, Amazon, and Facebook. Apple also received its first privacy-related fine recently—but at €8m, the penalty doesn’t make the top ten.
All of these fines have been issued by just three DPAs, and they almost all relate to issues with cookies and ad targeting.
This is the story behind these three DPAs, their relationship with US tech companies, and what the apparent uptick in enforcement means for businesses operating in Europe.
Before We Begin…
Fines are not the most important thing about the GDPR. And, needless to say, data protection law doesn’t only apply to large companies.
The best reason to embrace privacy and data protection is not to avoid fines. It’s to ensure your company projects trustworthiness and professionalism—and can grow in a lawful, sustainable way.
Indeed, the fines themselves are not even the most important aspect of the “big tech” decisions explored below. Some are eye-wateringly large—but relatively insignificant to a multi-billion dollar enterprise.
The accompanying orders—that force non-compliant companies to do things differently and respect people’s personal data—are much more consequential.
Examining these high-profile penalties is important, however, as it shows how regulators are interpreting the law—and changing the landscape for digital services providers across Europe.
(Also, please assume that all of these decisions are either under appeal or have already been appealed.)
France: International ePrivacy Enforcer
France’s DPA, the CNIL, delivered five of the ten largest privacy-related fines. Here’s the list, starting at the tenth-largest data protection or privacy fine of all time:
- Google LLC: €50m, 21 January 2019
- Google Ireland: €60m, 31 December 2020
- Facebook: €60m, 31 December 2020
- Microsoft: €60m, 19 December 2022
- Google LLC: €90m, 31 December 2020
The GDPR’s “one-stop-shop” procedure means that cross-border cases should be dealt with by the DPA in the EU country where the controller is primarily based (its “main establishment”).
So why is France enforcing against Google, Facebook and Microsoft—companies whose main establishment is in Ireland?
Well, only one of France’s big fines (the smallest, against Google in January 2019) was actually enforced under the GDPR.
For that January 2019 fine, there was some uncertainty around the location of Google’s main establishment, so France was allowed to enforce the case. The CNIL found that Google’s consent requests on Android did not meet GDPR standards.
The rest of the above fines were under France’s implementation of the ePrivacy Directive, Article 82 of the Data Protection Law.
High Fines, Active Enforcement Approach
Cookies are, for the most part, the domain of the ePrivacy Directive rather than the GDPR (although the GDPR has major implications for how consent is requested and how personal data collected via cookies is processed).
But the CNIL’s enforcement action under the ePrivacy Directive is unlike any other EU member state.
For one thing, the penalties are much higher than we see in most other countries. Member states can set their own ceilings for ePrivacy Directive fines, and France’s ePrivacy sanction regime is tied to the GDPR (note that the UK is also considering this approach under its privacy reforms).
Also, the CNIL is very active in enforcing on the cookie-related aspects of the directive. In addition to the cookie-related actions listed above, France also fined Amazon €35m in December 2020 for setting non-essential cookies without consent.
Incidentally, it was Amazon’s appeal against that 2020 decision that led the French courts to confirm that the CNIL’s approach to ePrivacy enforcement was valid and lawful.
Le Cookie Monster
The biggest French ePrivacy fines, three of which were delivered on New Year’s Eve in 2020, all show similar themes.
In each case, the CNIL found that the controller had failed to obtain valid consent for cookies. While the CNIL never uses the term, all these decisions involve “dark patterns”—manipulative design techniques that aim to push the user towards a certain outcome.
For example, in the recent action against Microsoft, the CNIL found that the company’s consent banner (in Bing) “actually discourages users from refusing cookies and encourages them to prefer the ease of the consent button.”
The decisions against Google (LLC and Ireland) and Facebook all contain similar remarks.
Google, for example, failed to provide “a means of refusing cookies as simple as the existing means of accepting them”.
Under Facebook’s convoluted consent banner, “a button allowing the user to refuse cookies [was] located at the bottom of the second window and [was] entitled ‘Accept cookies’.”
The CNIL clearly hates deceptive consent requests.
Ireland: The Reluctant Gamekeeper
The next four fines on our list were all issued by the Irish Data Protection Commissioner (DPC).
Ireland is the European base of many “big tech” firms, so the DPC has the unenviable task of regulating the world’s most data-hungry companies. And the regulator is regularly criticised for failing to do so adequately.
That said, four of the five largest GDPR fines have been issued by the Irish DPC:
- WhatsApp: €225m, September 2021
- Meta (Facebook): €265m, November 2022
- Meta (Facebook and Instagram: €390m, January 2023
- Meta (Instagram): €405m, September 2022
These are some heavy fines by European standards (Meta has actually been punished more severely in the US—it settled for $5bn with the Federal Trade Commission in 2019).
So why is the DPC characterised as “reluctant” when it comes to enforcing against big tech companies?
Well, these penalties are not the work of the DPC alone.
The DPC vs the EPDB
In of the DPC’s “big tech” fines except one—the €265m Facebook fine from November 2022—the European Data Protection Board (EDPB) intervened and directed the DPC to re-write parts of the decisions and raise the level of fines.
That November 2022 fine was related to a data breach. The DPC ordered Meta to change how it approaches “data protection by design and by default”, and the EDPB was happy with the decision.
The three other decisions involved Meta’s “legal basis for processing”, and the implications for the company’s business model were potentially much more severe.
For whatever reason, the DPC was less keen to penalise Meta for these sorts of violations, and the EDPB forced the regulator’s hand.
Let’s look at the three cases in which the EDPB intervened.
WhatsApp and Transparency
The earliest and smallest of the DPC top five fines was against WhatsApp in September 2021 (WhatsApp, while still being a Meta company, is a data controller in its own right).
The WhatsApp decision was a complex case resulting from controversial changes to WhatsApp’s privacy notice. An important question was around the interpretation of the GDPR’s concept of “legitimate interests”.
Essentially, WhatsApp’s privacy notice stated that the company had various legitimate interests for processing personal data for various purposes. But WhatsApp had not clearly linked which legitimate interests applied to which purpose.
The DPC initially decided that this was fine under the GDPR’s rules. The EDPB disagreed, stating that this approach was not sufficiently transparent. The DPC had to rewrite its decision—and also raise the fine more than fourfold.
Instagram and Children’s Data
Next, let’s look at the September 2022 fine against Meta via Instagram.
At €405m, this is the second-largest GDPR fine of all time. The issues included violations around children’s data, security, and Meta’s legal basis for processing.
The decision originated with a data breach involving children’s data.
Children found that they were able to convert their personal accounts to business accounts. These kids got extra analytics regarding their Instagram stories. But as business users, they also had to publish their contact details—in plaintext on the open web.
This incident prompted an examination of Meta’s lawful basis for publishing these contact details. Meta said it was relying on contract, where the child was old enough to agree to a contract, and “legitimate interests” where the child was too young to contract.
The DPC initially found Meta’s arguments to be reasonable. Again, the EDPB intervened here, forcing the DPC to find that this violated the GDPR’s rules on “lawfulness of processing” (and directing the DPC to increase the fine).
Meta’s Ad Model
Now, let’s consider the most recent fine against Meta—for violations involving Facebook and Instagram in January 2023.
The decisions conclude an epic investigation dating from May 2018 that has highly significant implications for Meta and other online service providers.
The case relates to how Meta justified its system of behavioural advertising.
Before the GDPR took effect, Meta (then Facebook) relied on “consent” for processing its users’ personal data for targeted advertising purposes. Users were required to consent in order to maintain a Facebook or Instagram account.
The GDPR changed the EU’s definition of “consent” for data processing, making the conditions for consent stricter.
Meta determined that its consent request would no longer fly. So on the day before the GDPR took effect, the company changed its terms of service, forcing users to accept targeted ads under “contract” (reportedly, this change was made following advice from the DPC).
Following a complaint about this change, the DPC found—initially—that relying on “contract” was valid. However, the EDPB disagreed, and once again the DPC was forced to change its decision, ruling out “contract” as a legal basis for Meta’s ad-targeting.
If Meta is forced to obtain consent for targeted ads, the company is likely to see a significant drop in revenue among its EU-based users. This would be a further blow to Meta after Apple forced third-party apps to request consent for tracking on iOS in 2021.
The DPC’s full decisions haven’t yet been released, but Meta claims that the DPC has not specifically ordered the company to go back to “consent”. This means the company might switch to “legitimate interests”—which would still require Instagram and Facebook to provide an opt-out.
Needless to say, Meta is appealing the decision.
Luxembourg: A Dark Horse?
Finally, the biggest GDPR fine of all time—€746m against Amazon, issued by… Luxembourg?!
The DPA of this tiny landlocked member state, the CNPD, is not known for its ferocious GDPR enforcement. In fact, except for this (comparatively) gigantic Amazon fine, the regulator’s penalties rarely reach six figures.
The Grand Duchy’s business secrecy rules prevent the CNPD from revealing much about its GDPR decisions. As such, the world only learned about Amazon’s fine because the company declared it in a filing with the US Securities and Exchange Commission (SEC).
But French NGO La Quadrature du Net (LQDN) claims that the penalty resulted from a May 2018 complaint it made together with 10,000 EU data subjects.
The complaint is available (in French), but we don’t know which violations the CNPD found in respect of Amazon (and, of course, the company is appealing).
But we do know what the complaint was about: cookies.
As with virtually all of the top ten data protection and privacy fines, Amazon’s cookie banners seemingly failed to satisfy the GDPR’s consent requirements.
A Reckoning for Poor Transparency and Consent Practices
Big tech’s tendency to trick, cajole or otherwise force people into accepting targeted ads has collectively cost the “Big 5” billions (Apple’s recent €8m CNIL fine was also cookie-related).
These tech giants can afford the penalties. But the EU’s insistence on proper notice and freely-given consent presents a far greater problem for big tech’s revenue streams.
As the consequences of these decisions begin to change the online landscape, companies embracing a transparent and fair approach to privacy should find themselves at an advantage.
If you’re curious about how your organization stacks up against industry benchmarks for privacy, test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!
