From TikTok to Meta: Compliance Experts Share The Most Significant GDPR & FCA Breaches of 2023

As we approach the end of 2023, we can reflect on the substantial fines unveiled throughout the year, highlighting the importance of data protection and financial conduct.

This year, penalties relating to GDPR and Financial Conduct Authority (FCA) regulatory breaches have shaped the trajectory of compliance and accountability for companies across various sectors.

Vivek Dodd, CEO of Skillcast, a corporate compliance training service, has provided his thoughts, expressing:

“The misuse of power by large corporations is an alarming reality. Meta’s fine for mishandling international data transfers and TikTok’s repeated breaches impacting underage users underline the critical need for corporate giants to utilise their power responsibly.”

He adds, “These fines serve as a stark reminder that compliance is not just a legal obligation; it’s a moral imperative. Trust is a currency in the digital era, and corporations must value transparency, accountability, and a commitment to safeguard their users.”

The Most Significant Fines of 2023

Meta Platforms Ireland Ltd. – €1.2bn fine
GDPR breaches – Art. 46 (1)

In a landmark decision, Ireland’s Data Protection Commission (DPC) imposed a €1.2 billion fine on Meta Platforms Ireland Ltd., the parent company of Facebook, for mishandling personal data during international transfers between Europe and the United States. The breach centred around Meta’s failure to provide adequate data protection in its transfers, conducted through standard contractual clauses.

Meta has announced its intention to appeal the decision, adding a layer of complexity to this historic enforcement action.

Meta Platforms Ireland Ltd. – €390m fine
GDPR – Breaches of Art. 5 (1) a), Art. 6 (1), Art. 12, Art. 13 (1) c)

Meta Platforms Ireland Ltd. returns to the spotlight with a £390 million fine for improperly soliciting individuals’ data for Facebook and Instagram advertising. The Irish Data Protection Commission (DPC) stressed that Meta cannot compel consent and must offer clear information on data usage.

The regulatory scrutiny also uncovered Meta’s lack of clarity regarding the purpose of data usage, leading to this substantial penalty.

TikTok Ltd – €345m fine
GDPR – Breaches of Art. 46 (1)

The Irish Data Protection Commissioner (DPC) fined TikTok €345 million for several GDPR violations. These encompassed setting 13-17-year-old users’ accounts to public, insufficient transparency, and inadequate verification in the ‘family pairing’ scheme. TikTok’s failure to mitigate risks to underage users intensified the severity of the breach.

Criteo – €40m fine
GDPR – Breaches of Art. 7 (1), (3), Art. 12, Art. 13, Art. 15 (1), Art. 17 (1), Art. 26

Criteo, an online advertising specialist, received a €40 million fine from the French Data Protection Authority (CNIL), equivalent to approximately 2% of the company’s global revenue. The penalty was due to Criteo’s failure to ensure its partners, including publishers, obtained user consent for using Criteo’s cookies. CNIL held Criteo responsible for consent verification despite this being primarily the partners’ responsibility.

ED&F Man Capital Markets Ltd – £17.2m fine
FCA – Breaches of Principle 2 and Principle 3

The FCA fined ED&F Man Capital Markets Ltd. (MCM) £17.2 million for severe oversight lapses in its cum-ex trading strategy, enabling clients to reclaim tax illegitimately. Inadequate compliance checks and risk assessment led to this being the largest FCA fine in a cum-trading case, underscoring the crucial need for stringent oversight in financial markets.
TikTok – £12.7m fine
GDPR – Breaches of Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR

The ICO fined TikTok £12.7 million for illegally processing data of 1.4 million children under 13, citing failures in preventing underage access and inadequate checks. The ICO emphasised TikTok’s unlawful processing of UK users’ personal data. Subsequent to the investigation, the ICO introduced a Children’s Code to bolster digital protection for children.

Equifax Limited – £11.1m fine
FCA – Breaches of Principle 3

Equifax Limited faced an £11 million FCA fine for preventable shortcomings that left millions exposed to financial crime risks. The FCA highlighted Equifax’s delayed regulator notification and misleading public statements after a 2017 security breach. This penalty follows a 2018 ICO fine of £500,000, demonstrating ongoing regulatory action on data breach issues.

TIM SpA – €7.6m fine
GDPR – Breaches of Art. 5 (2), Art. 6, Art. 7, Art. 12 (2), (3), Art. 13, Art. 14, Art. 15 (1), Art. 32 (1) b)

The Italian Data Protection Authority fined telemarketing firm TIM SpA £7.6 million for poorly overseeing abusive call centres. TIM inadequately responded to data subject requests and exposed personal data in public telephone directories without proper consent.

Guaranty Trust Bank (UK) Limited (GT Bank) – £7.6m fine
FCA – Breaches of Principle 3

GT Bank received a £7.6 million FCA fine for Anti-Money Laundering (AML) lapses. Failures in customer risk assessments, transaction monitoring, and assessing money laundering risks were identified. The bank’s non-dispute resulted in a 30% penalty discount.

ADM Investor Services International Ltd – £6.4m fine
FCA – Breaches of Principle 3

The FCA fined commodities broker ADM Investor Services International Ltd £6.47 million for inadequate anti-money laundering controls. Despite initial concerns in 2014 and persistent shortcomings found in 2016, the FCA lifted remedial action requirements in 2018. The company’s global operations and dealings with politically exposed persons heightened money laundering risks.