Meta Platforms (Facebook)
Meta transferred personal data from EU Facebook users to the US using Standard Contractual Clauses, without conducting adequate Transfer Impact Assessments following the Schrems II judgment. Meta was ordered to suspend future transfers and bring existing ones into compliance within six months. This remains the largest GDPR fine ever issued.
Full DPC decisionX Corp (Twitter)
X Corp processed EU users' personal data — including inferred special categories — through its MoPub advertising network without valid legal basis. The investigation found X relied on consent and legitimate interests unlawfully across its advertising data processing chain.
DPC press releasesTikTok Technology Limited
TikTok transferred European users' personal data to China without adequate safeguards. The DPC found TikTok failed to verify that EEA user data accessed remotely by Chinese staff received protection equivalent to EU standards. TikTok also stored some EU data on Chinese servers contrary to its earlier representations.
DPC press releasesMeta Platforms (Instagram)
Meta Instagram defaulted accounts of users aged 13–17 to public, and displayed email addresses and phone numbers of child accounts publicly. The investigation found multiple GDPR violations including failure to comply with the principle of data protection by design and by default (Article 25) with respect to children's data.
DPC decision summaryLinkedIn Ireland
LinkedIn processed personal data for behavioural advertising without a valid legal basis. The DPC found that LinkedIn incorrectly applied legitimate interests, consent, and contractual necessity across different processing activities. LinkedIn was ordered to bring its processing into compliance within a set timeframe.
DPC announcementGoogle (Gmail Spam)
France's CNIL fined Google €325 million for sending unsolicited promotional emails to Gmail users without valid consent. The case was brought by NOYB and found that Google leveraged its position in email to push advertising content in violation of GDPR consent requirements.
NOYB coverageUber B.V.
The Dutch DPA fined Uber €290 million for transferring European drivers' personal data to the United States without adequate safeguards following the Schrems II judgment. The case mirrors Meta's 2023 fine and demonstrates that enforcement of international transfer rules extends beyond social media platforms.
Dutch DPA announcementMeta Platforms (Facebook) — Data Scraping
A dataset of 533 million Facebook user records — obtained via scraping the contact import feature — was published on hacking forums in April 2021. The DPC found Meta failed to implement adequate technical and organisational measures to prevent the large-scale scraping, violating GDPR Article 25 (data protection by design and default).
DPC press releaseWhatsApp Ireland
WhatsApp failed to transparently inform users and non-users about how their data was processed, including sharing with other Meta companies. The fine was increased significantly from the DPC's original proposal after the EDPB issued a binding dispute resolution decision under Article 65 — the first major use of this mechanism.
DPC decisionAmazon Europe Core
Luxembourg's CNPD fined Amazon for processing personal data for advertising purposes without proper consent. The case was brought by NOYB on behalf of EU consumers. Amazon contested the fine, and while it remains the largest fine from a non-Irish DPA, it is under appeal. The case highlighted the role of small-country lead supervisory authorities for major tech companies.
CNPD statementGoogle LLC
France's CNIL issued the first major GDPR fine against a US tech giant — €50 million against Google for lack of transparency and invalid consent for personalised advertising. The decision was groundbreaking as it applied GDPR to the entire Google advertising ecosystem and signalled that regulatory intent would go beyond data breaches to target fundamental consent violations.
CNIL decision