Sizable fines assessed for data breaches in recent years suggest that regulators are getting more serious about cracking down on organizations that don’t properly protect consumer data.
Hit with a $ 1.3 billion fine for unlawfully transferring personal data from the European Union to the US, Meta tops the list of recent big-ticket sanctions, with one other ten figure fine being levied against the Chinese firm Didi Global for violating that nation’s data protection laws. The third largest penalty was the $877 million fine against Amazon in 2021 for running afoul of the General Data Protection Regulation (GDPR) in Europe.
Here are the biggest fines and penalties assessed for data breaches or non-compliance with security and privacy laws.
In May 2023, Ireland’s Data Protection Commission (DPC) concluded an enquiry into Meta Platform Ireland Limited (“Meta Ireland”) it had initiated in Aug 2020, billing the social media giant €1.2 billion ($1.3 billion) for violation of the GDPR. With regards to the article 46(1) of the GDPR, the Irish privacy watchdog blamed Meta Ireland for the transfer of personal data from the EU or the European Economic Area (EEA) to the US without adequate data privacy safeguards in connection with the delivery of its Facebook services. Meta’s president of global affairs, Nick Clegg, said, “We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.”
Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided that the company violated the nations’ network security law, data security law, and personal information protection law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities.”
In summer 2021, retail giant Amazon’s financial records revealed that officials in Luxembourg issued a €746 million (then $877 million) fine for breaches of the GDPR. Amazon was expected to be appeal the fine, with a spokesperson stating, “There has been no data breach, and no customer data has been exposed to any third party.” La Quadrature du Net, the French digital rights organization that filed the original data protection complaint against Amazon on behalf of 10,065 individual complainants in May 2018, said that was unsurprising, since its 19-page complaint targeted Amazon’s operation of a behavioral advertising system without adequate consent, and not an intermittent leak of personal data.
2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.
In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”
$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.
In 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million to the states of Massachusetts and Indiana respectively.
Concluding two enquiries made into Meta’s data processing operations in the European regions, commencing on the day GDPR came into operations (25 May, 2018), the Irish Data Protection Commission (DPC) announced in January 2023 that it found Meta platforms in breach of the GDPR “in connection with the delivery of its Facebook and Instagram services”. Meta Ireland was fined €210 million ($ 225 million) , for Facebook violations, and and €180 million ($ 193 million) for Instagram violations.
Meta’s data processing operations with regards to Facebook and Instagram services were found in violations of several articles of the GDPR, including 5 (1) a) , 6 (1), 12 , and 13 (1) c), relating to the breach of transparency and information obligations.
In September 2022, Ireland’s Data Protection Commissioner (DPC) fined Instagram for violating children’s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses, which was made more public when some young users upgraded their profiles to business accounts to access analytics tools such as profile visits.
Instagram’s owner, Meta, said it planned to appeal against the decision. “This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private,” a Meta official told BBC News. “While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.”
Andy Burrows, child-safety-online policy head at the National Society for the Prevention of Cruelty to Children (NSPCC) said, “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.”
In September 2023, TikTok was handed a €345 million ($370 million) fine by the Irish Data Protection Commission (DPC) for violating children’s data privacy, under GDPR law. The DPC found that TikTok had not been transparent enough with children about its privacy settings, and raised questions about how their data was processed.
The inquiry sought to examine the extent to which, during the period between July 31 2020 and December 31 2020, TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:
“As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings,” the IDC said. The DPC’s decision, which was adopted on September 1, 2023, recorded findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR, relating to a range of matters including data security, data protection by design, and data processing.
A spokesperson for the social media firm told media outlets, “We respectfully disagree with the decision, particularly the level of the fine imposed.”
In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.
“The company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the company, its subsidiaries and affiliates, and its directors and officers,” the filing read. “The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The company believes that terms of the proposed settlement are in line with other settlements of similar types of claims,” it added.
In November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (€265 million) for the compromise of 500 million users’ personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between May 25, 2018, and September 2019. “The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” the DPC wrote. “The DPC examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.”
