For Data Privacy Week, here’s a look at the ten largest privacy fines imposed as of Jan. 27, 2023.
This list includes multinational household names such as Amazon, Meta and Google.
We’ve also included five notable data breaches in Canada (where fines were not assessed), and their corresponding penalties and compliance requirements.
1. Facebook- US$5 billion (July, 2019)
The U.S. Federal Trade Commission issued the biggest privacy fine (so far) after determining that Facebook “violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.”
The sanction includes a 20 year settlement order to boost transparency on how privacy decisions are taken within the company and to hold Facebook accountable through overlapping means of compliance.
2. DiDi Global- US$1.2 billion (July 2022)
The Cyberspace Administration of China fined the ride hailing giant after determining that the company violated the nation’s network security law, data security law, and personal information protection law.
This decision has been accepted by DiDi Global.
3. Amazon- US$877 million (June 2021)
In 2021, Luxembourg National Data Protection Commission (CNPD) imposed a record General Data Protection and Regulation (GDPR) fine of €746 million (US$877 million) on Amazon Europe Core S.à r.l., based in Luxembourg, for breaching the EU’s General Data Protection Regulation.
Amazon has contested the decision, calling the fine “disproportionate” and denied breaching personal data or sharing data to third parties without the appropriate consent.
4. Equifax- US$575 million (July 2019)
The FTC and Consumer Financial Protection Bureau (CFPB) sanctioned credit bureau firm, Equifax for failure to take reasonable steps to secure its network, which led to a data breach in 2017 that affected approximately 147 million people.
The settlement included US$300 million to be paid to a fund compensating affected consumers, US$175 million to 48 states, the District of Columbia and Puerto Rico, as well as US$100 million to the CFPB in civil penalties.
5. Instagram-US$402 million (September 2022)
The Irish Data Protection Commission (DPC) handed down the second largest ever GDPR fine to Meta-owned Instagram in 2022, following an investigation into its default account settings, which expose the phone numbers and email addresses of child-operated accounts.
Meta’s spokesperson said that the allegations concern “old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private”.
6. WhatsApp- US$255 million (September 2021)
The DPC punished another Meta-owned company for its lack of transparency on how it handles users’ information, a year before issuing its biggest fine to Instagram.
WhatsApp has updated its privacy policies several times since, despite its plans to appeal the decision.
7. Google Ireland and Google LLC- US$169 million (December 2021)
The Commission nationale de l’informatique et des libertés (CNIL) fined Google’s Ireland branch €90 million and Google LLC €60 million after determining that the company failed to meet the recommendations for cookies, specifically by making them difficult to refuse on YouTube.
8. Uber- US$$148m million (September 2018)
Following an investigation into a 2016 data breach that exposed the personal information from 57 million Uber accounts and 600,000 driver’s licenses, Uber agreed to pay US$148 million to all 50 US states and the District of Columbia for allegedly concealing the breach and paying hackers off.
9. Capital One- US$80 million (August 2020)
Capital One was issued a hefty fine by the U.S. OCC (Office of the Comptroller of the Currency) following a massive data breach in 2019 that affected 100 million people in the U.S. and 6 million in Canada.
The OCC said it fined the company for “failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
10. Facebook Ireland— US$66 million (December 2021)
Notable data breaches in Canada
1. Desjardins (May 2019)
Between 2017 and 2019, the Fédération des caisses Desjardins du Québec (Desjardins) suffered a massive data breach that affected close to 9.7 million customers in Canada and abroad, whose personal information, including first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses, and transaction histories were exfiltrated by one of its employees.
After being notified in May 2019, the Office of the Privacy Commissioner of Canada (OPC) found that Desjardins had contravened the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC issued a list of recommendations of appropriate measures for Desjardins to take to remedy the contravention.
2. Medicentre Canada Inc (October 2013)
Medicentre notified the Office of the Information and Privacy Commissioner (OIPC) about a possible breach of the Health Information Act (HIA). Reportedly, the laptop of an information technology consultant containing the billing information for an estimated 631,000 Albertans had been stolen.
The OIPC launched an investigation on Jan. 23, 2014 and issued recommendations to revamp the company’s security procedures to protect patients’ information.
3. Avid Life Media Inc (June 2015)
A hacker group calling themselves The Impact Team claimed that it infiltrated the systems of Avid Life Media Inc, the owner of dating sites Ashley Madison, Cougar Life and Established Men. Demanding that the sites be shut down, the hackers justified the attack, reproaching Ashley Madison for charging $19 to fully remove members’ profile information, and claiming that Established Men encouraged cheating. Avid Life refused to comply and saw the records of some 36 million members, including their personal identifiable information, its source code, and company emails, released.
Avid Life (renamed Ruby Corp.) agreed to reinforce its security structures as part of its compliance agreement with the office of Canada’s privacy commissioner and the office of the Australian Information Commissioner and agreed to pay US$1.6 million to the U.S. government and a number of states for deceiving users and failing to protect their accounts.
4. Tim Hortons (June 2020)
Following an article in The Financial Post on Jun. 12, 2020 detailing how the Tim Hortons mobile app was tracking users’ locations even when the app is closed, the OPC, and privacy commissioners of Quebec, Alberta and British Columbia launched an investigation against the fast food chain to determine if its app was gathering vast amount of sensitive data without consent.
As a result of the investigation, Tim Hortons agreed to implement several recommendations around the Tim Horton app, including deleting all location data.
5. Lifelabs (December 2019)
On Dec. 17, 2019, Lifelabs released a statement notifying its customers of a cyberattack involving unauthorized access to the computer systems containing information of over 15 million customers located primarily in BC and Ontario; lab test results of 85,000 Ontario customers from 2016 or earlier were exposed.
Consequently, Information and Privacy Commissioners of Ontario and BC found that LifeLabs failed to protect the personal health information of millions of Canadians and ordered a number of measures to fix these shortcomings.