• The Gisma University of Applied Sciences has analysed the amount of fines that companies have had to pay for data protection violations to date.
• The highest fines were imposed for offences committed by Meta (formerly Facebook) – the company has already had to pay 7.1 billion euros.
• Over 3,000 fines for violations of data protection laws have already been registered

The General Data Protection Regulation (GDPR) came into force in November 2018 to standardise the rules for processing personal data across the EU. Violations of the GDPR can result in heavy fines. However, fines can also be imposed outside the EU for non-compliance with the applicable data protection laws.

The Gisma University of Applied Sciences (www.gisma.de) has analysed which companies worldwide have had to pay the highest fines to date and in which countries the strictest penalties have been imposed. Facebook and Meta lead the ranking with fines totalling 7.1 billion euros.

The highest fine for data protection offences went to Facebook

In 2019, the US consumer protection authority FTC imposed the highest fine for data protection offences in the history of the FTC against Facebook: the internet company had to pay five billion US dollars (4.6 billion euros). The reasons for this were multiple violations of FTC data protection orders from 2012, in which Facebook misled users about the use and protection options for personal user data in breach of its obligations. Since October 2021, the company has been operating under the name Meta Platforms and has had to pay a fine of 1.8 billion euros for three further violations. Further offences on Instagram and WhatsApp led to fines of 405 and 230.5 million euros respectively.

Chinese ride-hailing company DiDi had to pay 1.2 billion euros

DiDi is considered the Chinese equivalent of Uber. The Chinese cyber supervisory authority imposed the second-highest fine of the investigation on the company for violations of national laws on network security, data security and the protection of personal information. Two DiDi executives were also fined CNY 1,000,000 (approx. EUR 144,903) each. In third place among the companies with the highest fines is Amazon with around 811 million euros resulting from five offences. Google and the US financial services company Equifax follow in fourth and fifth place with fines of EUR 781 million and EUR 522 million respectively. This means that four of the five companies with the most expensive offences come from the USA.

H&M online shop paid the highest fine of all German companies

H&M Hennes & Mauritz Online Shop A.B. & Co. KG has paid the highest fine of all German companies to date. In 2020, the company was fined just under 35.2 million euros for spying on employees at a service centre in Nuremberg. Second place among German companies goes to notebooksbilliger.de AG. The online shop for consumer electronics paid a fine of 10.4 million euros in 2021. Meanwhile, BREBAU GmbH, a housing association from Bremen, was fined 1.9 million euros in 2022, taking third place in this ranking.

AOK Baden-Württemberg and Volkswagen AG take fourth and fifth place with payments of 1.2 million euros in 2020 and 1.1 million euros in 2022.

The highest fines to date have been imposed in the USA

Companies around the world have already had to pay almost twelve billion euros in fines for data protection violations – almost half of this in the USA, which is mainly due to the immense fine imposed on Facebook. Ireland is in second place with around 2.9 billion in fines. China is in third place with 1.2 billion euros. This is partly due to the fact that many global corporations have their headquarters in these countries. Germany is in ninth place with fines totalling 6.2 million euros.

“Many companies underestimate the importance of data protection, security and ethics or even deliberately ignore them in order to sell data or analyse the behaviour of their customers, for example. Our study analysed more than 3,000 fines for around 2,500 companies. However, charges against numerous doctors and police officers and over 300 private individuals are also included. The high fines are an attempt by the authorities to emphasise that consumer data should not be handled carelessly.

This emphasises the importance of addressing cyber security, data security and ethics in education. It is of great importance to understand early on what effective measures can be taken to protect personal data and ensure its ethical use, and to recognise the importance of data protection for both individuals and companies. These aspects are important components in our degree programmes, for example in Business Management or in Data Science, AI and Digital Business. This is the only way to prevent data protection offences and the associated fines,” explains Prof. Dr Mohammad Mahdavi, Professor of Data Science.