Out of that, GDPR fines in 2022 total €832 million, which is 36% lower than the €1.3 billion paid in 2021.

However, last year stands out not in the total sum fined but in the severity of the charges imposed on a single entity — Meta.

The data for the analysis was extracted from Enforcementtracker. Note that not all cases are made public.

Out of that, GDPR fines in 2022 total €832 million, which is 36% lower than the €1.3 billion paid in 2021.

However, last year stands out not in the total sum fined but in the severity of the charges imposed on a single entity — Meta.

The data for the analysis was extracted from Enforcementtracker. Note that not all cases are made public.

Meta fined hundreds of millions repeatedly

Distinctively, the majority of the penalties in 2022 were paid by a single tech behemoth — Meta. 

The Data Protection Commission (DPC), an authority for GDPR enforcement in Ireland, imposed a €405 million fine for Meta Platforms Ireland Limited (Instagram) on September 5th, 2022.

In this case, two issues were found with the processing of personal data pertaining to child users of Instagram. 

The children's email addresses and phone numbers were publicly exposed when using the Instagram business account function, and Instagram profiles of kids were public-by-default.

Another hefty sum of €265 million was penalised to the same entity on November 25th, 2022, when the DPC declared that Meta had infringed two articles of the EU's data protection laws after details of Facebook users from around the world were scraped from public profiles in 2018 and 2019.

Moreover, the DPC issued a "reprimand and an order" forcing Meta to "bring its processing into compliance by executing a range of specified remedial activities within a specific deadline". 

Meta complied and made the adjustments within the required timeframe.

To date, Meta has paid around €1 billion for GDPR violations.

Closing remarks

Since May 25th, 2018, the Europe's new framework for data protection has impacted many businesses operating within the EU.

Because it is extra-territorial in nature, the GDPR applies to companies located outside of the EU. Specifically, the legislation is intended to defend the rights of data subjects rather than to govern corporations. A "data subject" is any EU citizen.

The GDPR's size and complexity made it a daunting task for most compliance departments.

Yet, it is necessary because as the world becomes more connected, it also renders it increasingly more difficult to remain anonymous, which is one of the most fundamental rights everyone should be able to enjoy, even if it means businesses have to scramble and change their approach to collecting and processing data as well as paying fines.