Lessons from
GDPR Fines
Seven years of GDPR enforcement have produced over €6 billion in fines. These are not abstract regulatory actions. They are precedents that define how data protection law will be applied to every organisation operating in the digital economy, including those preparing for India DPDPA compliance.
"GDPR enforcement is not about punishing data processors. It is about establishing that personal data has value, that individuals have rights, and that organisations bear responsibility. Every fine tells a story about what regulators expect and what they will not tolerate."
Anandaday Misshra
Landmark Enforcement Actions
These cases represent the most significant regulatory interventions under GDPR. Each decision establishes precedent that shapes compliance expectations globally.
Meta Platforms Ireland
Irish DPC
Unlawful transfer of personal data to the United States without adequate safeguards following the Schrems II ruling
Cross border data transfers require legally defensible mechanisms. Standard Contractual Clauses alone are insufficient when surveillance risks remain unaddressed.
Amazon Europe
Luxembourg CNPD
Processing personal data for targeted advertising without valid consent and failing to meet transparency obligations
Consent architecture must be granular, informed, and freely given. Bundled consent and dark patterns expose organisations to existential penalties.
TikTok Technology Limited
Irish DPC
Unlawfully transferring European users personal data to servers in China without adequate protections and failing to conduct risk assessments regarding Chinese surveillance laws
Data transfers to jurisdictions with extensive state access powers require rigorous impact assessments. Failure to document transfer risks invites maximum penalties.
Meta Platforms
Madrid Court
Unlawfully processing user data by switching from user consent to contract necessity as legal basis, gaining unfair advantage in the online advertising market
Legal basis shopping is not permitted. Organisations cannot switch between legal bases to circumvent consent requirements. Regulators scrutinise changes in processing justification.
Irish DPC
Unlawful processing of user data for behavioural analysis and targeted advertising without valid legal basis, failing to provide clear information about data usage
Behavioural advertising requires robust consent infrastructure. Neither legitimate interest nor contractual necessity justify extensive profiling without transparent user choice.
Uber Technologies
Dutch DPA
Unlawfully transferring sensitive driver data including location, payment details, and medical records from EU to United States without adequate safeguards
Sensitive data categories demand heightened protection in transfers. Retaining health and criminal records on foreign servers without valid transfer mechanisms triggers substantial penalties.
Meta (Facebook)
Irish DPC
Security breach from 2018 affecting 29 million users globally, failing to implement privacy by design and default, and submitting incomplete breach notifications
Breach notification obligations are comprehensive. Incomplete disclosures compound initial security failures. Privacy by design is not optional architecture.
Meta (Instagram)
Irish DPC
Processing children personal data and making teen accounts public by default
Processing children data demands heightened protection. Age verification and privacy by default are mandatory, not optional design choices.
Meta (Facebook)
Irish DPC
Data scraping incident exposing 533 million users personal information due to inadequate security measures
Security is not a one time implementation. Continuous monitoring, penetration testing, and proactive threat assessment are regulatory expectations.
British Airways
UK ICO
Data breach affecting 500,000 customers due to poor security arrangements allowing attackers to harvest payment card details
Breach liability extends beyond the incident. Organisations must demonstrate they had reasonable technical and organisational measures in place.
H&M Germany
Hamburg DPA
Extensive surveillance of employees including recording details about their health, religion, and family circumstances
Employee monitoring has strict boundaries. Legitimate interest does not extend to systematic profiling of staff personal lives.
Google France
French CNIL
Lack of transparency and valid consent for ad personalisation during Android device setup
Consent must be obtained at the point of data collection, not buried in terms of service. Information must be easily accessible.
Clearview AI
Dutch DPA
Building facial recognition database by scraping billions of images without consent or legal basis
Legitimate interest cannot justify mass processing of biometric data. Special category data demands explicit consent or statutory basis.
Seven Years of GDPR Fines
The Enforcement Curve
GDPR enforcement has followed a predictable pattern: initial warnings and guidance (2018), followed by landmark penalties establishing precedent (2019 to 2021), and now systematic enforcement across all sectors and company sizes (2022 onwards). This trajectory offers a preview of how DPDPA enforcement will likely evolve in India.
Four Pillars of Enforcement
Across 3,200 enforcement actions, four themes emerge repeatedly. Understanding these patterns is essential for any organisation building a compliance programme.
Consent Architecture
Nearly 40% of major fines relate to consent failures. Regulators reject pre ticked boxes, bundled consent, and manipulative interfaces.
DPDPA Section 6 mirrors GDPR consent requirements. Indian organisations must implement granular, withdrawable consent mechanisms.
Cross Border Transfers
The largest single fine in GDPR history arose from transfer violations. Adequacy decisions and safeguards are non negotiable.
DPDPA Section 16 restricts transfers to notified countries. Businesses must map data flows and implement compliant transfer mechanisms.
Security Measures
Breach penalties reflect not just the incident but the adequacy of preventive measures. Regulators assess what controls existed before the breach.
DPDPA Section 8 mandates reasonable security safeguards. Rule 6 prescribes specific technical measures data fiduciaries must implement.
Transparency Obligations
Privacy notices must be clear, accessible, and comprehensive. Hiding information in lengthy documents attracts enforcement.
DPDPA Section 5 requires clear notice before collection. Rule 3 specifies disclosure requirements in plain language.
What This Means for India
The Digital Personal Data Protection Act, 2023 draws heavily from GDPR principles while adapting them to Indian context. Organisations that study GDPR enforcement gain a strategic advantage: they can anticipate regulatory expectations before the Data Protection Board of India establishes its own precedents.
Consider the Meta transfer case. When India notifies permitted countries under Section 16, organisations with data flows to non permitted jurisdictions will face immediate compliance obligations. Those who have already implemented robust transfer impact assessments and supplementary measures will be prepared. Those who have not will scramble.
The consent architecture failures that produced the Amazon and Google fines offer equally relevant lessons. DPDPA requires consent to be free, specific, informed, and unambiguous. Organisations still relying on lengthy privacy policies and pre selected checkboxes are building on foundations that European regulators have already condemned.
Security is perhaps the most universal lesson. The British Airways and Marriott cases established that breach penalties reflect not just the incident but the adequacy of prior protection. Organisations must demonstrate that reasonable security safeguards existed before any incident, not just respond after one occurs.
Consent Audit
Review all consent mechanisms against GDPR precedents before DPDPA enforcement begins
Transfer Mapping
Document all cross border data flows and prepare for Section 16 country notifications
Security Baseline
Implement demonstrable technical measures aligned with Rule 6 requirements
GDPR Precedents. DPDPA Preparation.
Understanding enforcement patterns from seven years of GDPR implementation provides practical guidance for organisations navigating India's evolving data protection landscape.