What to Learn from 2023 Data Privacy Fines

James Grieco
James Grieco
Dec 20, 2023
min read
What to Learn from 2023 Data Privacy Fines

The idea of data privacy regulations has, in the short history since the EU’s GDPR came into effect and revitalized the industry, far outpaced the execution of them. When talking to privacy professionals about what they’d like to see done differently, the majority mention enforcement needing to be stepped up.

2023 Data Privacy Enforcement

Well, for 2023, it’s done just that. Of course, it’s important to note that this was only the sixth year of GDPR enforcement, and the United States entered 2023 with just a single comprehensive data privacy law–California’s CCPA–on the books. Still, this year saw a marked jump in the frequency and severity of fines regulators were handing out, which means lots of lessons to take away on who was fined, why they were fined, and how much they were fined.

First, the cumulative numbers for 2023:

  • 438 total GDPR fines
  • €2.054 Billion/$2.248 Billion in fines 

Both of those figures are records, with the total number of GDPR fines, 438, just edging 2021’s 434 fines, but blowing 2022’s 292 out of the water.

Monetarily, this is the first year in history GDPR fines topped $1 billion in a single calendar year, with 2021’s total figure coming in at €1.277 billion and 2022’s figure coming in at just €743 million. 

With the exception of 2022, following violations from the onset of GDPR is a line that has steadily increased, showing that as time goes on, European regulators are getting more comfortable issuing fines for noncompliant behavior. 

The majority of GDPR fines are for less than $50,000, with very few even rising above the million-Euro mark, but every year has a few that come in at a massive number. 2023’s total is buoyed by a May fine slapped on Meta totalling €1.2 billion, the largest GDPR fine ever issued.

That fine was over Meta’s continued data transfers from users in Europe to the United States, as there were not sufficient data protections in place in the U.S. This directly violated Article 46 of the GDPR, which is actually one of the few times in history that article has been quoted in a violation. 

Notable GDPR Fines in 2023

The ten largest GDPR fines handed out this year were:

  • Meta - €1.2 Billion (largest GDPR fine ever issued)
  • Meta - €390 Million (4th largest GDPR fine ever issued)
  • TikTok - €345 Million (5th largest GDPR fine ever issued)
  • CRITEO - €40 Million
  • TikTok - €14.5 Million
  • Axpo Italia SpA - €10 Million
  • Tim SpA - €7.63 Million
  • WhatsApp (Meta) - €5.5 Million
  • EOS Matrix (Debt Collection Agency) - €5.47 Million
  • Clearview AI - €5.2 Million* (Clearview AI successfully beat a prior GDPR violation over similar issues, so this may not hold up)
  • Spotify - €4.9 Million

Historically, far and away the most common reason for a GDPR fine has been “Non-compliance with general data processing principles,” which is a catch-all reason when companies are violating numerous GDPR Articles simultaneously. 

In 2023, Meta’s €390 million fine, both of TikTok’s fines, and Axto Italia’s fine all fell under this category. Particularly for Meta & TikTok, global social media companies, that hodgepodge of data processing malpractices spells trouble going forward, as each needs dramatic changes to their privacy policies to correct the litany of cited issues. 

Of the remaining fines above, all of the companies either failed to cement a proper legal basis for data processing or to demonstrate a sufficient fulfillment of data subject rights (Criteo, Spotify).  

As for the origins of each fine, Ireland brought forth four of the top-10 fines, Italy and France each brought two, and Croatia, The UK, and Sweden all brought one each. 

Takeaways from 2023 GDPR Fines

These findings reflect how many privacy professionals feel, which is that the Irish Data Protection Commission is the most active in Europe, while countries like Italy are also unafraid to issue a violation or make regulatory headlines. Of note is Germany’s absence, as one would expect such an economic powerhouse and prominent EU member state to be more on the ball, however Germany’s DPC had a much quieter year in 2023 than it has in previous years.

From the list of companies on the receiving end of fines, the presence of Big Tech continues, with Meta the most constant target. In fact, a major criticism of regulatory enforcement has been a hyper focus on Big Tech, but if DPC’s can turn limited enforcement resources into fines of hundreds of millions of dollars, that has to be considered a victory for data privacy. 

The inclusion of names like Criteo, Axpo Italia, and a Croatian debt collection agency balance out those claims of Big Tech bias, as these companies are far from household names across all of Europe or the U.S. 

This is arguably the most eclectic collection of companies receiving major GDPR fines yet, and a clear signal–alongside record-breaking numbers–that enforcement is maturing past the legislation’s earliest days. 

2023 Data Privacy Fines in the U.S.

On the American front, another Big Tech company paid up on a data privacy fine, as in September Google agreed to settle a CCPA violation for $93 million. The issue stemmed from Google’s location-privacy practices, which California determined after extensive investigation were “deceiving users by collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent.”

The United States’ data privacy scene grew rapidly in 2023, with Virginia, Colorado, Connecticut, and Utah’s comprehensive laws all coming into effect throughout the year, and eight more states passing comprehensive laws that will come on line over the next 24 months. 

While none of those new laws resulted in fines and official violations, a common thread in American data privacy in 2023 was a renewed emphasis on children’s online safety and privacy. This is reflected by three FTC fines over violations of the Children’s Online Privacy Protection Act (COPPA).

  • Amazon - $25 Million
  • Microsoft - $20 Million
  • Edmodo - $6 Million

Although the scope and quantity pales in comparison to the EU’s enforcement of GDPR, it is heartening to see the U.S. take these issues more seriously and push back–particularly against Big Tech, most of which are originally American corporations. 

2023: An Enforcement Success

All in all, 2023 has been a noteworthy year for enforcement, a reality that might not always match broader sentiment in the privacy community. Regulators continue to closely monitor Big Tech while doing due diligence on a wider range of potential violations–evidenced by over 400 fines of less than $1 million handed out through the year. 

No company, big or small, can rest easy without a proper privacy program in place, and as the first wave of privacy regulations continue to mature and evolve and more and more new regulations pass worldwide, enforcement will keep pace and continue improving. 

In today’s digital world, that should bring a sigh of relief to anyone who cares about privacy.