EU’s tough data privacy rules rake in biggest annual fines

European Union data protection fines targeting Amazon.com Inc. and Meta Platforms Inc.’s WhatsApp helped push penalties to record levels last year, in a sign that the bloc’s tough privacy rules are starting to bite.

Luxembourg’s data protection authority last year slapped Amazon with its biggest fine since the EU’s General Data Protection Regulation took effect almost four years ago. The US online retailer is challenging the €746 million penalty. The Irish watchdog followed with the second-highest EU fine against WhatsApp, ordering it to pay €225 million for failing to be transparent about how it handled personal data.

The two record fines make up a large proportion of all GDPR fines in 2021, according to a report released by law firm DLA Piper on Tuesday. Total penalties rose sevenfold to €1.1 billion compared to €158.5 million in 2020.

The EU’s GDPR empowers data regulators to levy fines of as much as 4% of a company’s annual revenue for the most serious violations. Tensions have been building among data watchdogs over the amount of time Ireland’s authority is taking to complete probes of the likes of Facebook and Apple Inc. France’s watchdog has started to target US firms including Google, Amazon and Facebook with separate EU rules, fining them record amounts over their cookies policies.

While such record fines over privacy violations make headlines, another challenge facing companies will be to avoid regulatory scrutiny under GDPR. They must ensure they comply with a key EU court ruling in 2020 that limited the options to safely transfer data across the Atlantic, the report said.