By 
Cybersecurity expert breaks down the biggest GDPR fines of 2022 and the reasoning behind them
The General Data Protection Regulation, known as GDPR, is the leading data protection law in the European Union. Introduced in 2018, it has become a staple and is used as a model for comprehensive privacy laws around the world. Even though the GDPR is still quite new, defiance of the law has already cost companies over €30 billion in nearly 30 thousand cases.
RELATED: GDPR fines hit nearly €100 million in H1 2022
“Enforcement of the GDPR has only started ramping up. If you look at the statistics, the number of cases and the cost of fines are rising exponentially every year. In 2022 alone, companies paid more in GDPR fines than in all the previous years combined. And the trend shows no sign of stopping,” says Oliver Noble, a cybersecurity expert at NordLocker
NordLocker, part of Nord Security, is the world’s first end-to-end file encryption tool with a private cloud. It was created by the cybersecurity experts behind NordVPN – one of the most advanced VPN service providers in the world.
Looking back at 2022, Noble outlines below the biggest GDPR offenders of last year and dives into what they did wrong.
Meta Platforms, Inc.
Meta – the company behind Facebook, Instagram, and Whatsapp – was fined almost €700 million in total in 2022. The biggest blow came in September, when Meta was fined a whopping €405 million, which was the second biggest GDPR fine of all time, surpassed only by Amazon, which was fined €746 million in 2021.
The ruling came because Meta’s subsidiary, Instagram, mishandled children’s privacy settings by allowing them to create business accounts that publicly displayed their contact information and failed to ensure that children’s accounts on the platform would be set to “private” by default.
Just recently, in November, Meta also received a hefty penalty worth €265 million from Ireland’s Data Protection Commission for failing to stop the online scraping of delicate data of millions of Facebook users.
Meta’s violations didn’t end there. In March 2022, it was fined another €17 million for a data breach that happened in 2018.
Clearview AI, Inc.
Clearview AI – a facial recognition software company – received four fines related to GDPR violations in 2022, which cost the company €69 million. The fines were issued by authorities in Italy, France, Germany, and the UK, with all four fines related to the company’s unauthorized data processing.
Clearview AI has a database of several billion faces from all over the internet, which it gathered using artificial intelligence. The database is then enriched with metadata such as location, website addresses, and social media accounts to create biometric profiles of people from around the world.
Google LLC
The multinational technology company was fined €10 million for the unauthorized transfer of personal data and failure to comply with the right of erasure. Google unlawfully shared data that was requested to be removed from its services with the Lumen project – a database of legal complaints and requests for removal of online materials. By doing so, Google violated the GDPR’s Article 17 (“Right to be erasure”) and Article 6 (“Lawfulness of processing”).
COVER IMAGE: CPO Magazine
