Brussels, 22 May – Meta Platforms Ireland Limited (Meta IE), the operator of Facebook, has been handed a landmark €1.2 billion fine, marking the largest penalty ever issued under the General Data Protection Regulation (GDPR). This significant financial blow, a direct euro result of regulatory enforcement, comes after an inquiry by the Irish Data Protection Authority (IE DPA) into Meta’s data transfers to the United States. The core issue revolves around the legality of these transfers using standard contractual clauses (SCCs) since July 16, 2020. Beyond the hefty fine, Meta is now mandated to overhaul its data transfer practices to ensure full compliance with GDPR regulations.
Andrea Jelinek, Chair of the European Data Protection Board (EDPB), emphasized the gravity of the infringement, stating, “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.” She further highlighted the scale of the operation, “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences,” clearly demonstrating the euro results of non-compliance.
The EDPB’s binding decision on April 13, 2023, was pivotal, instructing the IE DPA to amend its initial decision and impose a substantial fine on Meta IE. The severity of the GDPR violation led the EDPB to recommend a starting point for the fine calculation between a staggering 20% and 100% of the maximum legal limit. Furthermore, the EDPB directed the IE DPA to enforce a strict compliance order, compelling Meta IE to cease unlawful processing, including data storage in the U.S., of European users’ personal data transferred in violation of GDPR. Meta has been given a six-month deadline from the notification of the IE DPA’s final decision to rectify these practices.
This final decision from the IE DPA incorporates the EDPB’s legal assessment, stemming from a dispute resolution procedure initiated after objections from several concerned supervisory authorities (CSAs). These CSAs pushed for both a significant administrative fine and a definitive order to ensure Meta brings its data processing activities into GDPR compliance. The repercussions of this decision underscore the EU’s commitment to robust data protection and the considerable euro results for companies failing to adhere to GDPR stipulations.
Further details on the decision are publicly available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
