Digital democracy|Digital privacy
GDPR fines: can they shift data collection practices?
The General Data Protection Regulation (GDPR) was expected to change invasive data collection practices because of high fines.¹ The regulation was implemented in May 2018, and since then, 2,433 fines have been registered on the GDPR Enforcement Tracker, amounting to over 4.6 billion euros in total. In this week’s chart, Surfshark’s research hub looks at the Media, Telecommunications, and Broadcasting sector — the most heavily fined sector overall — and analyzes the top companies that have received the largest fines.
Key insights
- The largest financial penalty to date for a violation of data privacy and security legislation has been imposed on Meta Platforms Ireland Ltd., amounting to 1.2 billion euros. The company operates in the Media, Telecommunications, and Broadcasting sector, which has been the most heavily fined overall, accounting for 72% of the total sum of fines in euros across all sectors. This can be attributed, at least in part, to the high turnover of the fined companies.²
- Further investigation into the companies with the top five highest fines in the Media, Telecommunications, and Broadcasting sector revealed that Facebook service was associated with four fines (amounting to over 1.7 billion euros in total), TikTok was linked to three fines (amounting to over 360 million euros in total), while Instagram and WhatsApp were each linked to two fines (accordingly, amounting to 585 million euros in total for Instagram and over 230 million euros in total for WhatsApp) since the GDPR came into force. It is worth noting that the total fines imposed on these products and services have increased significantly since 2021. In 2021, the aggregate fines reached 285 million, while in 2022 they reached over 670 million, and in 2023, they reached around two billion.
- The most common violation of the GDPR associated with Facebook, TikTok, WhatsApp, and Instagram was non-compliance with general data processing principles. Article 12 of the GDPR (cited seven times) was the most frequently referenced article, which addresses transparent information, communication, and modalities for exercising data subject rights. It was followed by Article 5 and Article 13 of the GDPR (each cited five times). These infringements are considered more severe and may result in fines of up to 20 million euros or four percent of the company's worldwide annual revenue from the preceding financial year, whichever is higher.³
- All out of four apps associated with companies that were subject to the highest fines for GDPR infringements can handle data. Facebook and Instagram apps may collect 32 out of 35 unique data points.⁴ TikTok may use 25 and WhatsApp — 16 unique data points. In 2023, it was announced that Facebook and Instagram may collect 32 unique data points, while TikTok may collect 24 and WhatsApp 15.⁵
- Facebook and Instagram are still the most data-hungry apps, collecting over 90% of available data points, while both TikTok and WhatsApp have expanded their data collection by 1 data point each since 2023 (accordingly, Other Data Types and Search History). Customer data protection is an essential issue as customer complaints are the second most frequent cause of investigations by the data protection supervisory authorities.⁶
Methodology and sources
Data on GDPR fines was collected from the GDPR Enforcement Tracker on September 2, 2024. The GDPR Enforcement Tracker only contains publicly available fines from all EU Member States and the UK.² After identifying Meta and TikTok as the companies with the five highest fines in the Media, Telecommunications, and Broadcasting sector (as defined by the GDPR Enforcement Tracker), the fines related to their products were further investigated, along with the data points collected by their apps, including Facebook, Instagram, WhatsApp, and TikTok.
Note on data: The GDPR Enforcement Tracker may not be fully up to date. In some cases, organizations that were issued a GDPR penalty may have lodged a court appeal, which could ultimately result in a change to the original supervisory authority decision.
For the complete research material behind this study, visit here.Data was collected from:
CMS.Law (2024). GDPR Enforcement TrackerApple (2024). App StoreReferences:
¹ Kollnig, K. & Binns, R. & Van Kleek, M. & Lyngs, U. & Zhao, J. & Tinsman, C. & Shadbolt, N. (2021). Before and after GDPR: tracking in mobile apps. Internet Policy Review, 10(4);² GDPR Enforcement Tracker Report: The CMS Data Protection Group is pleased to launch the 5th edition (2024);³ Data protection under GDPR (2024);⁴ App privacy details on the App Store (2024);⁵ Which apps collect the most data? (2023);⁶ Saemann, M., Theis, D., Urban, T., & Degeling, M. (2022). Investigating GDPR fines in the light of data flows. Proceedings on Privacy Enhancing Technologies, 2022(4).