Companies are being fined
for AI violations right now.
GDPR has applied to AI since . EU AI Act Article 4 has been in force since . Regulators across Europe and the US are actively enforcing — and the fines are real.
€7.1B+
Total GDPR fines issued since 2018
€100M+
Clearview AI fined across Europe (none paid)
€35M / 7%
Max EU AI Act fine for prohibited AI practices
Article 4 AI literacy obligation — already in force
Major AI-related fines & penalties
Every entry is verified against the original regulator decision or a reputable news report — from €4K local cases to €405M against Big Tech. Most violations involve GDPR applied to AI — not the EU AI Act, which is still phasing in.
| Company | Fine | Year | Regulator | Type | What happened | Source |
|---|---|---|---|---|---|---|
| Meta (Instagram) | €405M | Ireland / DPC | GDPR | Defaulted children's Instagram accounts to public, exposing them to recommendation algorithms. Business accounts for minors displayed contact info publicly. | Official source → | |
| €310M | Ireland / DPC | GDPR | Used member data for behavioural analysis, predictive scoring, and AI-driven ad targeting without freely given consent. No valid legal basis. | Official source → | ||
| Meta (Facebook) | €390M | Ireland / DPC | GDPR | Required users to accept personalised AI-driven ads as a condition of using Facebook/Instagram. No valid legal basis for behavioural advertising. | Official source → | |
| TikTok | €345M | Ireland / DPC | GDPR | Default-public settings and algorithmic content serving to 13–17 year-olds without adequate protections. AI recommendation system exposed minors to harmful content. | Official source → | |
| Meta (Facebook) | €265M | Ireland / DPC | GDPR | Failure to protect user data from scraping. The scraped dataset including phone numbers, emails, and dates of birth was published online. | Official source → | |
| Clearview AI | €30.5M | Netherlands / AP | Biometric AI | Built an illegal database of 30+ billion facial images scraped from the web. The Dutch DPA imposed €30.5M — one of the largest facial-recognition fines to date — and threatened further penalties for continued non-compliance. | Official source → | |
| Clearview AI | €20M | France / CNIL | Biometric AI | Same scraping practice — billions of faces collected without legal basis. Ordered to delete all French residents' data. Non-compliant. | Official source → | |
| Clearview AI | €20M | Italy / Garante | Biometric AI | Coordinated enforcement alongside France and Greece. Italy, France, and Greece each imposed €20M fines for the same unlawful facial recognition database. | Official source → | |
| OpenAI (ChatGPT) | €15M | Italy / Garante | Generative AI | No legal basis for training data processing, lack of age verification, failure to notify a data breach, and inadequate transparency. First generative AI GDPR fine in the EU. Also ordered 6-month public awareness campaign. | Official source → | |
| TikTok | £12.7M | UK / ICO | GDPR | Processed personal data of ~1.4 million UK children under 13 without parental consent. AI-driven platform used by minors without age verification. | Official source → | |
| Amazon (Alexa) | $25M | USA / FTC | AI Training Data | Retained voice recordings and transcripts of children indefinitely even after parents requested deletion. Used children's data to train Alexa's AI models. | Official source → | |
| Luka Inc. (Replika) | €5M | Italy / Garante | Generative AI | AI companion chatbot failed on legal basis, transparency, age verification, data minimisation, and privacy-by-design obligations. | Official source → | |
| IKEA France | €1M | France / Criminal Court | AI Surveillance | Used data systems to build covert surveillance files on employees and job candidates. CEO received a suspended prison sentence — first criminal conviction for corporate AI surveillance. | Official source → | |
| La Liga | €1M | Spain / AEPD | Biometric AI | Spain's AEPD fined the top football league €1M for deploying biometric (facial recognition) access systems at stadiums without a valid legal basis or adequate safeguards. | Official source → | |
| FC Barcelona | €500K | Spain / AEPD | Biometric AI | AEPD fined FC Barcelona €500K for processing biometric data of ~143,000 members during a 2023 digital census without first completing a legally compliant Data Protection Impact Assessment. | Official source → | |
| Rite Aid | 5-year ban | USA / FTC | Biometric AI | Deployed facial recognition "watchlist" that disproportionately flagged Black, Asian, and Latino customers as shoplifters based on faulty AI matches. No safeguards against false positives. | Official source → | |
| Foodinho S.r.l. (Glovo) | €2.6M | Italy / Garante | Algorithmic Mgmt | Food-delivery platform fined over discriminatory performance algorithms used to manage riders and related GDPR failures around transparency and data minimisation. | Official source → | |
| Deliveroo Italy | €2.5M | Italy / Garante | Algorithmic Mgmt | Food-delivery platform fined over unlawful worker-data processing and lack of transparency around algorithmic rider management systems. | Official source → | |
| SafeRent Solutions | $2.3M | USA / Court settlement | Algorithmic Mgmt | Settled a class action alleging its tenant-screening algorithm disproportionately scored Black and Hispanic applicants and housing-voucher holders lower. Barred from using its score for voucher applicants for five years. | Official source → | |
| Club Atlético Osasuna | €200K | Spain / AEPD | Biometric AI | Spanish football club fined €200K by the AEPD for deploying a facial-recognition access system at its stadium without an adequate legal basis or safeguards for members' biometric data. | Official source → | |
| SIDECU (Supera gyms) | €96K | Spain / AEPD | Biometric AI | Galician gym operator SIDECU fined €96K after imposing facial recognition as the sole entry method across Supera centres — without valid consent, prior notice, or a DPIA. Ordered to suspend the system. | Official source → | |
| Workday | Class action | USA / Federal Court | Algorithmic Mgmt | A US federal court preliminarily certified a nationwide collective action alleging Workday's AI-powered applicant-screening tool discriminated against job seekers over 40 — among the first such AI-hiring rulings. | Official source → | |
| Private healthcare company | €6K | Lithuania / VDAI | Sensitive Data | Patient photographs published on a social network without proper legal basis or safeguards. Relevant for sensitive-data governance in AI-assisted clinical contexts. | Official source → | |
| Doctor (private healthcare company) | €840 | Lithuania / VDAI | Sensitive Data | Doctor personally fined alongside their employer in the same case involving patient photographs published on social media without consent or legal basis. | Official source → | |
| Serco Leisure / Serco Jersey | Enforcement notice | UK / ICO | Biometric AI | Ordered to stop using facial recognition and fingerprint scanning to monitor employee attendance across leisure centres. No monetary fine — enforcement notice issued. | Official source → | |
| Worldcoin Foundation | Deletion order | Germany / Bavarian DPA | Biometric AI | Ordered to delete iris-code data and bring biometric proof-of-personhood processing into GDPR compliance. No monetary fine — deletion and compliance orders issued. | Official source → | |
| Clearview AI | €20M | Greece / Hellenic DPA | Biometric AI | Third EU regulator to fine Clearview €20M for the same unlawful facial-recognition scraping. Ordered to delete all data of subjects in Greece and stop processing. | Official source → | |
| AENA (airport operator) | €1.8M | Spain / AEPD | Biometric AI | Spain's airport operator rolled out facial recognition for passenger access and boarding at Barcelona, Madrid and Menorca airports (2019–2024) without an adequate data protection impact assessment. | Official source → | |
| Budapest Bank | €670K | Hungary / NAIH | AI Surveillance | Used AI speech/emotion analysis on customer-service call recordings to score callers' moods without a legal basis or transparency. Hungary's largest AI-related GDPR fine at the time. | Official source → | |
| Univ. Internacional de Valencia (VIU) | €650K | Spain / AEPD | Biometric AI | Required students to undergo AI facial-recognition proctoring during online exams without a valid legal basis, breaching Article 9 GDPR on special-category biometric data. | Official source → | |
| Car-dealership group (Italy) | €120K | Italy / Garante | Biometric AI | Used a facial-recognition system (X-Face 380) to track employee attendance and entry/exit times. The Garante held biometric attendance monitoring of workers is unlawful. | Official source → | |
| eCampus (online university) | €50K | Italy / Garante | Biometric AI | Italian online university fined €50K by the Garante for using facial recognition to supervise students during exams without an adequate legal basis. | Official source → | |
| Skellefteå Municipality | €20K | Sweden / IMY | Biometric AI | Sweden's first GDPR fine. A school ran a facial-recognition trial to track student attendance — processing children's biometric data without a valid legal basis. | Official source → |
Last updated . Sources: regulatory press releases from DPC, CNIL, Garante, AP, ICO, FTC. Fine amounts in original reported currency. Clearview AI fines remain unpaid.
What actually triggers AI compliance fines
You don't need facial recognition to be at risk. These are the violations that hit ordinary companies.
Shadow AI sharing customer data
Employees paste customer or employee data into ChatGPT, Claude, or other AI tools without a Data Processing Agreement. Every instance is a potential GDPR violation — your company is the data controller.
No lawful basis for AI data processing
Using AI to analyse, profile, or make decisions about people requires a valid GDPR legal basis. "Legitimate interests" is not automatic. Most companies have never documented their lawful basis for each AI tool.
Automated decision-making without oversight
GDPR Article 22 gives individuals the right not to be subject to purely automated decisions. AI tools used for hiring, credit, or customer segmentation need human review mechanisms.
No AI literacy documentation (Article 4)
In force since February 2025. Companies must ensure employees understand the AI tools they use and the risks involved. Most companies have no evidence they have met this obligation.
Biometric or children's data in AI systems
Facial recognition, voice analysis, or any biometric processing requires explicit consent. AI tools used where children might be present face the highest regulatory scrutiny.
No audit trail for regulators
When a regulator asks for evidence of AI governance — what tools you use, how they're classified, who approved policies, who acknowledged them — a spreadsheet or Notion page is not sufficient.
EU AI Act fine structure
These penalties stack on top of GDPR. Some tiers are already enforceable.
Prohibited AI practices
€35M or 7%
of global annual turnover
- Social scoring systems
- Real-time public biometric surveillance
- Subliminal manipulation AI
- Exploiting vulnerable groups
High-risk AI violations
€15M or 3%
of global annual turnover
- Missing technical documentation
- No human oversight mechanism
- Failing to register AI system
- Inadequate risk management
Misinformation to regulators
€7.5M or 1.5%
of global annual turnover
- False information to authorities
- Incomplete regulatory disclosures
- Failing to cooperate with audits
How ComplyLayer reduces your exposure
Most fine triggers can be addressed with documentation, policy, and visibility. That's exactly what ComplyLayer automates.
Shadow AI sharing customer data
Browser extension detects which AI tools employees actually use — including unapproved ones processing customer data.
No lawful basis documentation
AI inventory with guided risk classification captures the legal basis for each AI tool and generates the required documentation.
No Article 4 compliance evidence
Policy acknowledgement workflow collects timestamped signatures from every team member — audit-ready proof of AI literacy compliance.
No AI Usage Policy
One-click generation of AI Usage Policy, GDPR DPIA, Technical Documentation, and Transparency Notice — all version-controlled.
No audit trail for regulators
One-click PDF compliance report covering all AI systems, risk classifications, policies, and acknowledgements. Ready in seconds.
Unknown risk level of AI tools
Guided risk wizard classifies every AI system under EU AI Act tiers and NIST AI RMF — flags high-risk systems automatically.
Frequently asked questions
Can companies be fined for AI violations right now?
Yes. GDPR has applied to AI systems since 2018. Regulators across the EU are actively enforcing it against companies using AI for data processing, facial recognition, behavioural targeting, and automated decision-making. OpenAI was fined €15M in December 2024. LinkedIn was fined €310M in October 2024. Clearview AI has been fined over €100M across multiple EU countries. The EU AI Act adds new obligations on top of GDPR — several already in force since February 2025.
What triggers AI compliance fines under GDPR?
The most common triggers are: (1) processing personal data with AI without a valid legal basis, (2) lack of transparency about how AI uses personal data, (3) biometric data collection without explicit consent, (4) using children's data in AI systems without adequate safeguards, (5) automated decision-making without human oversight (GDPR Article 22), and (6) shadow AI tools that employees use to process customer or employee data without the company's knowledge or proper data processing agreements.
What are the EU AI Act fines?
The EU AI Act penalty structure (phasing in from 2025–2027) is: up to €35M or 7% of global annual turnover for deploying prohibited AI practices (e.g. social scoring, real-time biometric surveillance in public spaces without authorisation); up to €15M or 3% of global turnover for other violations including failing to register high-risk AI systems, inadequate technical documentation, or failing to implement human oversight; up to €7.5M or 1.5% for providing false information to regulators. These stack on top of existing GDPR exposure.
Is Article 4 AI literacy already a legal requirement?
Yes. EU AI Act Article 4 (AI literacy obligation) has been in force since February 2025. It requires companies to ensure their staff have adequate AI literacy — meaning employees understand the AI tools they work with, the risks those tools carry, and your company's policies for using them. Most companies have no documentation that they have met this obligation. ComplyLayer generates the required policy documents and collects timestamped employee acknowledgements to prove compliance.
How can ComplyLayer help avoid AI compliance fines?
ComplyLayer addresses the most common fine triggers directly: shadow AI detection (browser extension finds AI tools employees use without company knowledge), AI Usage Policy generation (covers GDPR lawful basis, transparency obligations, data handling rules), team policy acknowledgements with timestamps (proves Article 4 AI literacy compliance), GDPR DPIA documentation for AI systems, and audit-ready PDF reports for regulators or enterprise due diligence. Setup takes under an hour. Starts at $99/month.
Still not sure?
Ask your AI about ComplyLayer
Let your trusted AI tell you if we're the right fit — no sales call needed.
Don't wait for a regulator to find you.
Start your 14-day Pro trial today. No credit card required. Setup in under an hour.