The European data protection authorities also imposed fines in the millions in December 2024. One fine was imposed on Meta alone Fine in the amount of 251 million euros. The mobile communications group Orange was fined 50 million euros. And a fine of 15 million euros was imposed on the ChatGPT company.
Meta Platforms Ireland Ltd.: 251 million euros (Ireland)
On December 17, 2024, the Irish Data Protection Commission (DPC) announced its final decisions on two investigations against Meta Platforms Ireland Limited. These investigations were initiated by the DPC on its own initiative after Meta reported a personal data breach in September 2018. The incident affected around 29 million Facebook accounts worldwide, including around 3 million accounts of users from the EU. Compromised personal data included full name, email address, phone number, location, workplace, date of birth, religion, gender, timeline posts, group memberships and even children's data.
The Data breach was caused by the exploitation of user tokens by unauthorized Third on the Facebook platform. Meta and its parent company in the USA rectified the incident shortly after it was discovered. Nevertheless, following an in-depth investigation, the DPC found several violations of the General Data Protection Regulation (GDPR) and imposed fines totaling 251 million euros. The infringements in detail:
- Article 33 paragraph 3 GDPR - Meta has reported a Data breach did not provide all the information required by this regulation, although this would have been possible. The DPC imposed a fine of 8 million euros for this.
- Article 33 paragraph 5 GDPR - Meta failed to adequately document the facts of each incident and the remedial action taken to comply with the Supervisory authority to enable compliance to be checked. For this Infringement a fine of 3 million euros was imposed.
- Article 25 paragraph 1 GDPR - Meta failed to consider data protection principles in the design phase of the processing systems. This Infringement was punished with a fine of 130 million euros.
- Article 25 paragraph 2 GDPR - Meta has not fulfilled its obligation as a responsible party to ensure that personal data processed by default only for specific purposes. This Infringement was punished with a fine of 110 million euros.
Source: Communication from the Irish Data Protection Commission
Orange SA: 50 million euros (France)
The French data protection authority "Commission Nationale de l'Informatique et des Libertés" (CNIL) announced on December 10, 2024 that it had initiated proceedings against the leading French telecommunications provider Orange SA. Fine in the amount of 50 million euros.
In its investigation, the CNIL found that Orange placed advertisements in users' inboxes that were visually almost indistinguishable from regular emails. According to Article L. 34-5 of the CPCE, any form of electronic Advertising the previous Consent of the persons concerned. This practice was Contradiction the case law of the European Court of Justice (ECJ), according to which any Advertisingthat appears in a user's inbox is deemed to be the use of e-mails for advertising purposes and is only permitted with the express consent of the user. Consent of the user is permitted. Although Orange discontinued this practice in November 2023 and has since provided more clearly labeled Advertising the CNIL categorized the previous implementation as a serious violation of the Infringement a. The high number of users affected - more than 7.8 million - as well as the financial advantage Orange gained from the sale of advertising space were taken into account when calculating the fine.
In addition, the CNIL found that the data set by the users Cookies despite the revocation of the Consent continued to be read by Orange. Article 82 of the French Data Protection Act (Loi Informatique et Libertés) stipulates that any storage or further processing of information on terminal equipment may only be carried out with the express consent of Orange. Consent of the user may take place and that these Consent must be revocable at any time. This practice not only violates the relationship of trust between user and provider, but is also in conflict with the Contradiction on the basic principles of the General Data Protection Regulation (GDPR) and the Data Protection Act (Loi Informatique et Libertés). The CNIL considered Orange's practice to be a clear Infringement against these regulations, as users could not be sure that their Revocation was technically implemented. The CNIL emphasized that it is Orange's responsibility to implement technical solutions that prevent the reading of Cookies after a Revocation prevent. With CookiesOrange's partners, the company is responsible for ensuring that these partners also take appropriate measures.
In addition to the fine of 50 million euros, the CNIL has also issued an order to stop the unauthorized reading of Cookies within three months. A penalty payment of EUR 100,000 was set for each day of delay.
Source: CNIL fines Orange SA.
OpenAI: 15 million euros (Italy)
The Italian data protection authority (Garante per la Protezione dei Dati Personali) has fined OpenAI, the company behind the AI-supported chatbot ChatGPT, 15 million euros.
The investigation was initiated in March 2023 after the data protection authority found breaches in connection with the Processing of personal data by OpenAI. The central allegations against OpenAI included:
- Failure to report a data breach: OpenAI had notified the authority of a data breach that occurred in March 2023. Data breach not properly reported.
- Insufficient legal basis for data processing (Infringement against Article 6 GDPR): OpenAI has personal data of users and non-users for the development and training of ChatGPT without an appropriate legal basis.
- Infringement against the transparency requirement: OpenAI has not sufficiently informed those affected about the Processing of their data, as required by Art. 12 and 13 GDPR prescribe.
- Missing age verification (Infringement against Art. 8 GDPR): The lack of age verification led to children under 13 being exposed to potentially inappropriate content.
The Italian data protection authority not only imposed a Fine 15 million, but also made use of the powers under Art. 166 of the Italian Data Protection Act for the first time. OpenAI was obliged to carry out a broad-based information campaign via radio, television, print media and the Internet. The aim of this measure is to inform the public about how ChatGPT works, how data is collected and the rights of those affected. The six-month campaign is intended to inform users and non-users about how they can exercise their rights to Contradiction, Deletion and Correction in accordance with the General Data Protection Regulation.
As OpenAI now has its European headquarters in Ireland, the proceedings have been transferred to the Irish data protection authority, which is now the lead authority. Supervisory authority carries out further investigations.
Source: Notice of fine Garante per la Protezione dei Dati Personali against OpenAI
Netflix International BV: 4.75 million euros (Netherlands)
The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has initiated proceedings against Netflix International B.V. Fine in the amount of 4.75 million euros. The streaming service was fined for several breaches of the General Data Protection Regulation (GDPR) punished, among other things, for lack of Transparency in its privacy policy and the failure to comply with Duty to inform when responding to requests for information.
Netflix was accused that the company's privacy policy did not provide sufficient information about the purposes and Legal basis of the data processing. The information on the recipients of the personal data, the storage periods and the international data transfer was also incomplete. In addition, Netflix did not respond to customer requests for information with sufficient specificity. These infringements relate to Articles 12, 13 and 15 of the General Data Protection Regulation, which oblige companies to do so, personal data in a transparent, understandable and accessible manner.
The investigation was initiated after the organization "None Of Your Business" (NOYB) submitted complaints on behalf of data subjects. NOYB criticized Netflix for not providing detailed information about the purposes of data processing, the categories of data concerned or the recipients when responding to requests for information. These gaps hindered the exercise of data subjects' rights, such as the right to Deletion or the right to object.
In his decision published on December 18, 2024, the EDPS noted that the breaches could have a significant impact on the rights and freedoms of data subjects, as Netflix has millions of users worldwide, a significant proportion of whom are based in the European Union. However, Netflix was credited with having revised and improved its privacy policy several times during the proceedings. Nevertheless, the changes made were deemed insufficient to fully comply with the requirements of the General Data Protection Regulation.
The fine imposed takes into account both the seriousness of the violations and Netflix's market position. The AP emphasized that Transparency and the protection of personal data are central pillars of the GDPR and violations of these principles cannot be tolerated. In addition, the sanction is also intended to have a deterrent effect in order to ensure compliance with data protection regulations. Netflix has violated the Fine Appeal lodged.
Source: Fining notice from the Autoriteit Persoonsgegevens against Netflix
Telefonica des España: 1.3 million euros (Spain)
The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has imposed a fine of 1.3 million euros on Telefónica after the personal data of its customers was compromised by a security breach. The mobile phone company had uncovered a security incident in September 2022 in which unknown persons had used employees' login details to infiltrate the company network in order to steal data.
The investigation revealed that 1,021,253 people were affected by the security breach, including customers of the subsidiaries Movistar and O2. The AEPD found that the technical and organizational measures to protect the collected data were inadequate. These could have prevented the error. For example, the user name and password were sufficient to successfully log into the company network.
The Fine is made up of two penalties: 500,000 euros for the Infringement against Art. 5 para. 1 lit. f GDPR and 800,000 euros for the Infringement against Art. 32 GDPR.
Source: Notice of fine from the Agencia Española de Protección de Datos against Telefonica
German 
English 
Italian 
French