The GDPR empowers data protection authorities to issue fines for breaches where the amount of any penalties is calculated based on factors such as the nature, gravity and duration of the infringement; the scope or purpose of the processing; and the number of data subjects affected and level of damage suffered, among other considerations.

The highest possible penalty under the GDPR is 4% of global annual turnover. So, in Meta’s case, a €91M fine may sound like a significant chunk of change — but it remains a tiny fraction of the billions the company could theoretically face, given its annual revenue for 2023 was a staggering $134.90B.