Log in
Get Surfshark
Research
Digital democracy
Cybersecurity
Chart of the week
About research hub
Published:Sep 10, 2024

Digital democracy|Digital privacy

GDPR fines: can they shift data collection practices?

The General Data Protection Regulation (GDPR) was expected to change invasive data collection practices because of high fines.¹ The regulation was implemented in May 2018, and since then, 2,433 fines have been registered on the GDPR Enforcement Tracker, amounting to over 4.6 billion euros in total. In this week’s chart, Surfshark’s research hub looks at the Media, Telecommunications, and Broadcasting sector — the most heavily fined sector overall — and analyzes the top companies that have received the largest fines.

Key insights

  • The largest financial penalty to date for a violation of data privacy and security legislation has been imposed on Meta Platforms Ireland Ltd., amounting to 1.2 billion euros. The company operates in the Media, Telecommunications, and Broadcasting sector, which has been the most heavily fined overall, accounting for 72% of the total sum of fines in euros across all sectors. This can be attributed, at least in part, to the high turnover of the fined companies.²
  • Further investigation into the companies with the top five highest fines in the Media, Telecommunications, and Broadcasting sector revealed that Facebook service was associated with four fines (amounting to over 1.7 billion euros in total), TikTok was linked to three fines (amounting to over 360 million euros in total), while Instagram and WhatsApp were each linked to two fines (accordingly, amounting to 585 million euros in total for Instagram and over 230 million euros in total for WhatsApp) since the GDPR came into force. It is worth noting that the total fines imposed on these products and services have increased significantly since 2021. In 2021, the aggregate fines reached 285 million, while in 2022 they reached over 670 million, and in 2023, they reached around two billion.
  • The most common violation of the GDPR associated with Facebook, TikTok, WhatsApp, and Instagram was non-compliance with general data processing principles. Article 12 of the GDPR (cited seven times) was the most frequently referenced article, which addresses transparent information, communication, and modalities for exercising data subject rights. It was followed by Article 5 and Article 13 of the GDPR (each cited five times). These infringements are considered more severe and may result in fines of up to 20 million euros or four percent of the company's worldwide annual revenue from the preceding financial year, whichever is higher.³
  • All out of four apps associated with companies that were subject to the highest fines for GDPR infringements can handle data. Facebook and Instagram apps may collect 32 out of 35 unique data points.⁴ TikTok may use 25 and WhatsApp — 16 unique data points. In 2023, it was announced that Facebook and Instagram may collect 32 unique data points, while TikTok may collect 24 and WhatsApp 15.⁵
  • Facebook and Instagram are still the most data-hungry apps, collecting over 90% of available data points, while both TikTok and WhatsApp have expanded their data collection by 1 data point each since 2023 (accordingly, Other Data Types and Search History). Customer data protection is an essential issue as customer complaints are the second most frequent cause of investigations by the data protection supervisory authorities.⁶

Methodology and sources

Data on GDPR fines was collected from the GDPR Enforcement Tracker on September 2, 2024. The GDPR Enforcement Tracker only contains publicly available fines from all EU Member States and the UK.² After identifying Meta and TikTok as the companies with the five highest fines in the Media, Telecommunications, and Broadcasting sector (as defined by the GDPR Enforcement Tracker), the fines related to their products were further investigated, along with the data points collected by their apps, including Facebook, Instagram, WhatsApp, and TikTok.

Note on data: The GDPR Enforcement Tracker may not be fully up to date. In some cases, organizations that were issued a GDPR penalty may have lodged a court appeal, which could ultimately result in a change to the original supervisory authority decision.

For the complete research material behind this study, visit here.

Data was collected from:

CMS.Law (2024). GDPR Enforcement TrackerApple (2024). App Store

References:

¹ Kollnig, K. & Binns, R. & Van Kleek, M. & Lyngs, U. & Zhao, J. & Tinsman, C. & Shadbolt, N. (2021). Before and after GDPR: tracking in mobile apps. Internet Policy Review, 10(4);² GDPR Enforcement Tracker Report: The CMS Data Protection Group is pleased to launch the 5th edition (2024);³ Data protection under GDPR (2024);⁴ App privacy details on the App Store (2024);⁵ Which apps collect the most data? (2023);⁶ Saemann, M., Theis, D., Urban, T., & Degeling, M. (2022). Investigating GDPR fines in the light of data flows. Proceedings on Privacy Enhancing Technologies, 2022(4).
The team behind this research:About us

Related articles:

Is privacy an illusion under a security camera’s watch?
Digital privacy | Aug 27, 2024

Is privacy an illusion under a security camera’s watch?

Surfshark’s study reveals that outdoor security camera apps are major data collectors, highlighting the risks of hacking and data leaks.
Dangerous permissions in adult toy apps
Digital privacy | Feb 13, 2024

Dangerous permissions in adult toy apps

On average, adult toy apps request 22 permissions. Among these, the investigated apps require 13 different types of permissions deemed as dangerous, including reading external storage, recording audio, precise location tracking, and more.
Holiday tech gifts: how data-hungry are they?
Digital privacy | Dec 19, 2023

Holiday tech gifts: how data-hungry are they?

Unveil the data privacy practices of trending Christmas tech gifts. From smartwatches to gaming devices, Surfshark's study delves into the often-overlooked privacy policies of accompanying apps.