Brussels, May 22 – Meta Platforms Ireland Limited (Meta IE), the parent company of Facebook, has been handed a staggering 1.2 billion euro fine, equivalent to over 1 billion U.S. dollars, marking the largest penalty ever issued under the General Data Protection Regulation (GDPR). This landmark decision, stemming from a binding dispute resolution by the European Data Protection Board (EDPB) on April 13, 2023, was enforced by the Irish Data Protection Authority (IE DPA) following an investigation into Facebook’s data handling practices. The core issue? Meta’s transfer of personal data of European users to the United States using standard contractual clauses (SCCs) since July 16, 2020, was deemed non-compliant with GDPR.
Andrea Jelinek, Chair of the EDPB, emphasized the severity of the infringement: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous. Facebook boasts millions of users across Europe, resulting in a massive volume of personal data being transferred. This unprecedented fine serves as a robust warning to organizations that serious violations of data protection carry substantial repercussions.”
The EDPB’s binding decision on April 13, 2023, directed the IE DPA to revise its initial draft decision and impose a significant financial penalty on Meta IE. The Board stipulated that, given the gravity of the GDPR breach, the starting point for calculating the fine should range between 20% and 100% of the maximum permissible legal fine. Furthermore, the EDPB mandated the IE DPA to instruct Meta IE to bring its data processing operations into full compliance with Chapter V of the GDPR. This includes ceasing the unlawful processing and storage in the U.S. of European users’ personal data that was transferred in violation of GDPR. Meta has been given a six-month period from the notification of the IE DPA’s final decision to implement these changes.
The IE DPA’s conclusive decision integrates the legal assessment articulated by the EDPB in its binding decision. This decision was adopted based on Article 65(1)(a) GDPR, triggered after the IE DPA, acting as the lead supervisory authority (LSA), initiated a dispute resolution procedure to address objections raised by several concerned supervisory authorities (CSAs). These objections specifically aimed to include an administrative fine and an order compelling Meta to bring its processing activities into compliance with GDPR standards.
The official final decision from the IE DPA is accessible in the Register for Decisions taken by supervisory authorities and courts concerning issues managed within the consistency mechanism, providing further transparency into this significant GDPR enforcement action.
