Meta Platforms (Facebook)
Meta transferred personal data from EU Facebook users to the US using Standard Contractual Clauses, without conducting adequate Transfer Impact Assessments following the Schrems II judgment. Meta was ordered to suspend future transfers and bring existing ones into compliance within six months. This remains the largest GDPR fine ever issued.
Full DPC decisionX Corp (Twitter)
X Corp processed EU users' personal data — including inferred special categories — through its MoPub advertising network without valid legal basis. The investigation found X relied on consent and legitimate interests unlawfully across its advertising data processing chain.
DPC press releasesMeta Platforms (Instagram)
Meta Instagram defaulted accounts of users aged 13–17 to public, and displayed email addresses and phone numbers of child accounts publicly. The investigation found multiple GDPR violations including failure to comply with the principle of data protection by design and by default (Article 25) with respect to children's data.
DPC decision summaryLinkedIn Ireland
LinkedIn processed personal data for behavioural advertising without a valid legal basis. The DPC found that LinkedIn incorrectly applied legitimate interests, consent, and contractual necessity across different processing activities. LinkedIn was ordered to bring its processing into compliance within a set timeframe.
DPC announcementMeta Platforms (Facebook) — Data Scraping
A dataset of 533 million Facebook user records — obtained via scraping the contact import feature — was published on hacking forums in April 2021. The DPC found Meta failed to implement adequate technical and organisational measures to prevent the large-scale scraping, violating GDPR Article 25 (data protection by design and default).
DPC press releaseWhatsApp Ireland
WhatsApp failed to transparently inform users and non-users about how their data was processed, including sharing with other Meta companies. The fine was increased significantly from the DPC's original proposal after the EDPB issued a binding dispute resolution decision under Article 65 — the first major use of this mechanism.
DPC decisionAmazon Europe Core
Luxembourg's CNPD fined Amazon for processing personal data for advertising purposes without proper consent. The case was brought by NOYB on behalf of EU consumers. Amazon contested the fine, and while it remains the largest fine from a non-Irish DPA, it is under appeal. The case highlighted the role of small-country lead supervisory authorities for major tech companies.
CNPD statementGoogle LLC
France's CNIL issued the first major GDPR fine against a US tech giant — €50 million against Google for lack of transparency and invalid consent for personalised advertising. The decision was groundbreaking as it applied GDPR to the entire Google advertising ecosystem and signalled that regulatory intent would go beyond data breaches to target fundamental consent violations.
CNIL decision