The General Data Protection Regulation (GDPR) transformed how organizations across the globe manage personal data, imposing strict rules on data collection, storage, processing, and security. With fines reaching up to €20 million or 4% of a company’s annual global turnover—whichever is higher—GDPR violations are costly mistakes no organization wants to make. Since its inception, regulators have cracked down on non-compliant entities, from tech giants to small businesses, highlighting the regulation’s broad reach. Below, we examine five prominent GDPR breach cases, detailing the incidents, penalties, and key takeaways.
1. British Airways: A Costly Data Breach (2018)
One of the earliest and most high-profile GDPR breaches involved British Airways (BA), the UK’s flag carrier airline. In June 2018, cybercriminals exploited vulnerabilities in BA’s website, compromising the personal data of approximately 500,000 customers. The breach exposed sensitive information, including names, addresses, payment card details, and travel booking data. Attackers used a technique called “Magecart,” injecting malicious code into the website to skim customer data during the payment process.
The UK’s Information Commissioner’s Office (ICO) investigated the incident and initially proposed a staggering £183.39 million fine in July 2019—the largest GDPR penalty at the time. The ICO cited BA’s failure to implement adequate security measures, such as multi-factor authentication and regular vulnerability testing, as a key violation of GDPR’s Article 32, which mandates appropriate technical and organizational measures to ensure data security. After BA appealed and negotiations ensued, the fine was reduced to £20 million in October 2020, partly due to the economic impact of the COVID-19 pandemic on the airline industry.
Consequences and Lessons: The £20 million penalty, while reduced, underscored the ICO’s commitment to enforcing GDPR rigorously. BA also faced reputational damage and potential lawsuits from affected customers. This case highlighted the importance of proactive cybersecurity measures, especially for organizations handling payment data. Companies must regularly audit their systems, patch vulnerabilities, and train staff to detect and prevent attacks. The breach also demonstrated that even large, established firms are not immune to GDPR enforcement.
2. Marriott International: A Legacy of Poor Data Practices (2018)
In November 2018, Marriott International, a global hotel chain, disclosed a massive data breach affecting its Starwood Hotels subsidiary, which it had acquired in 2016. The breach, which began in 2014 but was discovered post-GDPR in 2018, exposed the personal data of up to 339 million guests worldwide. This included names, addresses, phone numbers, passport numbers, and, in some cases, unencrypted credit card details. The root cause was traced to outdated security practices within Starwood’s IT systems, which Marriott failed to address after the acquisition.
The ICO responded in July 2019 with a proposed fine of £99.2 million, arguing that Marriott violated GDPR by not conducting sufficient due diligence during the acquisition and failing to secure the inherited systems. GDPR’s Article 5(1)(f) requires data controllers to ensure the integrity and confidentiality of personal data, a standard Marriott fell short of. After a lengthy review process, the final penalty was reduced to £18.4 million in October 2020, again reflecting economic considerations amid the pandemic.
Consequences and Lessons: Beyond the financial penalty, Marriott faced class-action lawsuits and a significant loss of customer trust. This case emphasized the risks of acquiring companies without thoroughly assessing their data protection practices. Organizations must integrate GDPR compliance into merger and acquisition strategies, conducting comprehensive audits of legacy systems. It also showcased the importance of encryption and timely breach detection—failures that allowed the breach to persist undetected for years.
3. Google: Consent Confusion in France (2019)
In January 2019, France’s data protection authority, the CNIL, fined Google €50 million for GDPR violations related to its handling of user consent for personalized ads. The case stemmed from complaints by privacy advocacy groups, including None Of Your Business (NOYB), which argued that Google’s consent process was opaque and manipulative. Under GDPR’s Article 6, processing personal data requires a lawful basis, such as explicit consent, which must be freely given, specific, informed, and unambiguous.
The CNIL found that Google buried critical information about data processing across multiple documents, making it difficult for users to understand how their data was used for ad targeting. Additionally, the consent mechanism was pre-ticked, meaning users had to opt out rather than opt in—contrary to GDPR’s requirement for affirmative action. This lack of transparency and control breached Articles 12 and 13, which mandate clear communication of data practices.
Consequences and Lessons: The €50 million fine was a landmark moment, signaling that even tech giants could face GDPR scrutiny over consent practices. Google adjusted its consent framework in response, introducing clearer options for users in the EU. The case underscored the need for user-centric design in data collection processes. Companies must ensure consent is granular, easy to understand, and not coerced through pre-selected options. It also highlighted the power of privacy advocacy groups in driving enforcement.
4. H&M: Employee Surveillance Gone Wrong (2020)
In October 2020, the Hamburg Data Protection Authority (DPA) in Germany fined H&M, the Swedish fashion retailer, €35.3 million for excessive monitoring of employees at its Nuremberg service center. Following a 2019 data breach that exposed internal records, investigators discovered that H&M supervisors had been collecting and storing highly personal details about employees’ private lives—ranging from health issues and family problems to religious beliefs—since at least 2014. This information was gathered during casual conversations and formal meetings, then logged in a database accessible to dozens of managers.
The DPA ruled that H&M violated GDPR’s Article 5(1)(a), which requires data processing to be lawful, fair, and transparent, and Article 6, which mandates a legal basis for processing sensitive personal data. The surveillance lacked employee consent and served no legitimate business purpose, constituting a gross overreach. The fine reflected the severity and duration of the breach, as well as H&M’s failure to address it proactively.
Consequences and Lessons: H&M issued an apology, paid compensation to affected employees, and overhauled its internal data policies. This case illustrated that GDPR applies not just to customer data but also to employee data, a point often overlooked. Organizations must establish clear policies for handling personal information in the workplace, ensuring it is collected only when necessary and with proper justification. Transparency with employees about data use is equally critical to avoid similar violations.
5. WhatsApp: Transparency Troubles in Ireland (2021)
In August 2021, Ireland’s Data Protection Commission (DPC) imposed a €225 million fine on WhatsApp, owned by Meta, for failing to provide clear information about its data-sharing practices with other Meta companies, such as Facebook and Instagram. The investigation, sparked by GDPR’s implementation in 2018, focused on WhatsApp’s compliance with Articles 12, 13, and 14, which require transparent communication of how personal data is processed, including data shared with third parties.
The DPC found that WhatsApp’s privacy policy was convoluted, leaving users unclear about how their data—such as phone numbers and metadata—was shared within the Meta ecosystem for purposes like analytics and advertising. The initial fine proposed by the DPC was €50 million, but after input from other EU regulators under GDPR’s consistency mechanism, it was escalated to €225 million, reflecting the scale of WhatsApp’s user base (over 2 billion globally) and Meta’s revenue.
Consequences and Lessons: The €225 million penalty was the second-largest GDPR fine to date, signaling heightened scrutiny of Big Tech’s data practices. WhatsApp contested the decision but updated its privacy policy to improve clarity for EU users. This case reinforced the importance of concise, accessible privacy notices—a challenge for companies with complex data ecosystems. It also demonstrated the collaborative nature of GDPR enforcement across EU member states, ensuring consistent standards. Businesses must prioritize transparency, especially when sharing data within corporate groups, to avoid alienating users and regulators alike.
Broader Implications and Compliance Strategies
These five cases—British Airways, Marriott, Google, H&M, and WhatsApp—span industries and violation types, from security failures to consent mishandling and transparency lapses. They collectively illustrate GDPR’s far-reaching scope and the diverse ways organizations can falter. The financial penalties, while significant, are often dwarfed by indirect costs like reputational harm, customer churn, and legal battles. Below are key strategies to avoid GDPR breaches, drawn from these examples:
- Robust Security Measures: Invest in cybersecurity infrastructure, including encryption, regular testing, and breach detection systems, as seen in the BA and Marriott cases. Compliance with Article 32 is non-negotiable.
- Transparent Consent Processes: Ensure consent is explicit, informed, and easy to revoke, per Google’s lesson. Avoid pre-ticked boxes or hidden terms that obscure data use.
- Due Diligence in Acquisitions: Assess and integrate data practices during mergers, as Marriott’s oversight showed. Legacy systems can be ticking time bombs.
- Employee Data Protection: Treat employee data with the same care as customer data, limiting collection to what’s necessary and lawful, as H&M learned.
- Clear Privacy Policies: Communicate data practices simply and directly, especially in interconnected corporate structures, as WhatsApp’s fine emphasized.
Conclusion
GDPR breaches are not just technical missteps—they reflect broader failures in organizational culture, accountability, and respect for individual rights. The cases of British Airways, Marriott, Google, H&M, and WhatsApp serve as cautionary tales, urging companies to prioritize data protection as a core business function, not an afterthought. As enforcement intensifies and public awareness grows, compliance is no longer optional—it’s a competitive necessity. By learning from these examples, organizations can navigate the complexities of GDPR, safeguard personal data, and build trust in an increasingly privacy-conscious world.