Meta Platforms Ireland Limited (Meta IE) has been fined 1.2 billion euros by the Irish Data Protection Authority (IE DPA) for violating the General Data Protection Regulation (GDPR). The European Data Protection Board (EDPB) confirmed that this is the largest GDPR fine ever.
The fine was imposed for transferring personal data to the U.S. using standard contractual clauses (SCCs) since July 2020, which the EDPB deemed unlawful. Meta has been ordered to comply with the GDPR for its data transfers.
European Data Protection Board (EDPB) Decision and Fine Imposed on Meta IE
In its decision on 13 April 2023, the EDPB directed the Irish DPA to revise its draft decision and impose a fine on Meta IE. The severity of the infringement warranted a recommended fine ranging from 20% to 100% of the maximum legal amount.
Additionally, Meta IE was instructed to ensure compliance with Chapter V of the GDPR by discontinuing the unlawful processing and storage of personal data belonging to European users in the U.S. within a six-month timeframe.
DPC’s Final Decision and Findings against Meta Ireland
In its final decision on 12 May 2023, the Data Protection Commission (DPC) determined that Meta Ireland breached Article 46(1) of the GDPR. Despite the judgment of the CJEU, Meta Ireland persisted in transferring personal data from the EU/EEA to the USA, relying on updated Standard Contractual Clauses (SCCs) and supplementary measures.
However, the DPC concluded that these measures were inadequate in addressing the risks to data subjects’ rights and freedoms as highlighted by the CJEU.
Inquiry Details and Cooperation with Concerned Supervisory Authorities (CSAs)
The inquiry was initiated in August 2020 but was put on hold by the High Court of Ireland until 20 May 2021 due to ongoing legal proceedings. The DPC prepared a draft decision during this time, which outlined the GDPR violation and the proposed suspension of data transfers.
The draft decision was shared with other EU/EEA supervisory authorities (CSAs) for their input. While most CSAs supported the DPC’s decision, a few objected and recommended imposing an administrative fine and taking corrective action to address the unlawfully transferred data.
Speaking on the announcement, Andrea Jelinek, EDPB Chair, said:
The EDPB determined that Meta IE’s violation is very grave since it involves transfers that are regular, frequent and ongoing. Facebook has millions of users in Europe, so the amount of personal data transferred is huge. The unprecedented fine is a powerful message to organizations that serious breaches have far-reaching consequences.