GDPR fines hit €1.5 billion in H1 2023

William S. | July 12, 2023

General Data Protection Regulation (GDPR) established by the European Union is a formidable legal framework designed to regulate the processing and transfer of personal data across member states. Since its enforcement in May 2018, it has been a catalyst for change, urging businesses to prioritize protecting people's personal information.

According to the data analyzed by the Atlas VPN team, companies had to pay over €1.5 billion in GDPR fines through the first half of 2023. On May 25th, GDPR celebrated its 5th anniversary. Throughout this time, businesses received 1679 fines combining to a sum of nearly €4 billion.

The data is based on GDPR Enforcement Tracker statistics. CMS — International Law Firm tracked all of the numbers provided on the website. Please note that not all penalties are made public.

January and May were particularly noteworthy, with nearly €400 million and €1.2 billion in fines, respectively. Interestingly, both months saw fines issued against Meta Platforms which control Facebook, Instagram, WhatsApp, and other apps. These fines represented the 1st and 4th largest fines in GDPR history.

Although March only saw €1.5 million in fines, it was the month when businesses received the most penalties for data violations, with a total of 46 penalties issued. In June, data protection authorities also issued a high number of violations, with 44 fines resulting in nearly €49 million in penalties.

February was the month with the least amount of fines issued in H1 2023, with only 34 fines accounting for €2.6 million in penalties. Overall, businesses received 237 fines throughout the first half of 2023. During the same period last year, data protection authorities issued 239 penalties.

Countries with most GDPR violations

As we delve into the topic of countries with the most GDPR violations, it's important to note that no country is immune to data privacy issues. However, some countries have had more violations than others. Here let’s look at the top countries with the most GDPR fines and the factors contributing to their high numbers.

Since the start of GDPR, Spain has accumulated 689 fines resulting in over €60 million in penalties. While, the average of each fine is about €88K, Spanish businesses received more than 2 times the amount of fines than any other country. Spain imposed most fines for violating GDPR's processing principles and lawful grounds for processing.

Italy's data protection authorities have issued 284 fines, totaling €133 million in penalties. The average fine here is about €468K. One of the largest penalties issued by Italian authorities was a €7.6 million fine given to telecommunications company TIM in April 2023, which violated multiple GDPR articles.

Germany has received the third-highest number of violations, totaling 160. These fines have resulted in penalties of €55 million. The average fine to a business that violated GDPR in Germany is €345K.

Romania is the last country whose authorities have issued over 100 fines in the 5 years of GDPR’s existence. In addition, Romania has a very low average penalty of only €5390. Greece stands out from the rest of the countries with a high average per fine of €525K.

The GDPR fines are significantly impacting how businesses operate and handle data. Companies must prioritize data privacy and security to avoid potential fines and reputational damage. As we move forward, companies must continue investing in their data protection strategies and staying informed about any updates or changes to the GDPR.