Built for your industry

Meta (Facebook)

Ireland’s Data Protection Commission imposed a record GDPR fine on Meta for transferring EU user data to the US without adequate safeguards. The ruling found Meta’s use of Standard Contractual Clauses did not address the risks identified by the CJEU, and ordered Meta to suspend US data transfers.

Anthem Inc.

Record HIPAA settlement with HHS following a cyber attack that exposed the electronic protected health information of nearly 79 million people. OCR’s investigation found Anthem failed to conduct an enterprise-wide risk analysis and lacked adequate access controls to prevent the breach.

Morgan Stanley

The OCC imposed a $60 million civil penalty for failures in oversight when decommissioning two wealth management data centers. Morgan Stanley failed to adequately assess risks, exercise due diligence in selecting a vendor, and maintain proper inventory of customer data on decommissioned hardware.

Amazon Europe

Luxembourg’s data protection authority (CNPD) imposed a €746 million fine on Amazon for processing personal data for personalized advertising without valid consent. The fine followed a complaint by French NGO La Quadrature du Net on behalf of 10,000 individuals. Amazon’s appeal was rejected in 2025.

British Airways

The UK ICO imposed its largest-ever fine on British Airways for inadequate security measures that allowed attackers to access personal data of approximately 430,000 customers, including payment card details. The fine was reduced from an initial £183 million after mitigating factors and COVID-19 hardship were considered.

Criteo

France’s CNIL imposed a €40 million GDPR fine on adtech giant Criteo for five infringements including failing to verify that users had consented to tracking for targeted advertising, inadequate transparency, and failure to comply with erasure and withdrawal rights. The fine was upheld by France’s Conseil d’État in March 2026.

TIM (Telecom Italia)

Italy’s Garante imposed a €27.8 million fine following hundreds of complaints about unsolicited marketing calls made without consent. The investigation found TIM’s blacklists did not match those of its call centers, and phone numbers were used for marketing without customer authorization. The Garante also imposed 20 corrective measures.

Edmodo

The FTC obtained an order against EdTech provider Edmodo for violating COPPA by collecting children’s personal data for advertising without parental consent and unlawfully outsourcing its COPPA compliance to schools. The order included a $6 million penalty and required Edmodo to delete algorithms built on children’s data.

Dedalus Biologie

France’s CNIL imposed a €1.5 million fine on medical software provider Dedalus Biologie after a massive data breach exposed sensitive health data — including HIV status, cancers, and genetic information — of nearly 500,000 individuals. The investigation found serious security failures during a software migration, lack of encryption, and no data processing agreement in place.

Deutsche Wohnen

Berlin’s Data Protection Commissioner imposed Germany’s first multi-million GDPR fine on Deutsche Wohnen for storing years of tenant personal data — including salary certificates, tax records, and bank statements — in an archive system with no mechanism to delete data that was no longer required.

TikTok

Ireland’s DPC imposed a €345 million fine on TikTok for GDPR violations in handling children’s accounts. The investigation found TikTok set child profiles to public by default, used dark patterns in its interface, and allowed unverified adults to pair with child accounts through its Family Pairing feature.

Clearview AI

Multiple European DPAs — France (CNIL), Italy (Garante), and Greece (HDPA) — each imposed €20 million fines on Clearview AI for scraping billions of facial images from the internet without consent or legal basis. The CNIL ordered Clearview AI to delete all data of individuals residing in France within two months.