Brussels, May 22 – Meta Platforms Ireland Limited (Meta IE), the tech giant behind Facebook, has been slapped with a staggering 1.2 billion euro fine, marking the largest penalty ever issued under the General Data Protection Regulation (GDPR). This landmark decision, stemming from a binding dispute resolution by the European Data Protection Board (EDPB) on April 13, 2023, and enforced by the Irish Data Protection Authority (IE DPA), addresses Meta’s ongoing transfers of personal data to the United States using standard contractual clauses (SCCs) since July 16, 2020. Beyond the unprecedented financial penalty in Euros 2023, Meta has been mandated to overhaul its data transfer practices to achieve full compliance with GDPR regulations.
Andrea Jelinek, Chair of the EDPB, emphasized the gravity of the infringement, stating, “The EDPB has determined that Meta IE’s violation is exceptionally serious due to its systematic, repetitive, and continuous nature. With Facebook’s vast user base across Europe, the sheer volume of personal data being transferred is immense. This record-breaking fine sends a clear and forceful message to organizations: severe infringements of data protection laws will be met with significant consequences.”
The EDPB’s binding decision from April 13, 2023, directed the IE DPA to revise its initial draft decision and impose a substantial fine on Meta IE. Recognizing the severity of the breach, the EDPB stipulated that the fine’s base calculation should range between 20% and 100% of the maximum permissible legal limit. Furthermore, the EDPB instructed the IE DPA to compel Meta IE to bring its data processing operations into alignment with Chapter V of the GDPR. This includes ceasing the unlawful processing and storage within the U.S. of European users’ personal data that was transferred in violation of GDPR. Meta has been given a six-month period, starting from the notification of the IE DPA’s final decision, to implement these corrective measures.
The IE DPA’s conclusive decision incorporates the legal evaluation articulated by the EDPB in its binding decision, which was adopted under Article 65(1)(a) GDPR. This followed a dispute resolution process initiated by the IE DPA, in its capacity as the lead supervisory authority (LSA), in response to objections raised by several concerned supervisory authorities (CSAs). These objections specifically aimed to include the imposition of an administrative fine and an order to ensure Meta’s processing practices become GDPR compliant.
Details of the final decision issued by the IE DPA are publicly accessible in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. This case underscores the rigorous enforcement of GDPR and its impact on transatlantic data flows, particularly for major tech companies handling vast amounts of user data within euros 2023 and beyond.
