In a groundbreaking development, Meta Platforms Ireland Limited, commonly known as Meta, has been hit with a record-breaking fine of $1.3 billion by the European Union (EU) over violations of data privacy regulations. The Data Protection Commission (DPC) concluded its inquiry into Meta Ireland, focusing on the transfer of personal data from the EU/EEA to the United States as part of the Facebook service.
The DPC’s final decision, adopted on 12th May 2023, determined that Meta Ireland infringed Article 46(1) of the General Data Protection Regulation (GDPR) by continuing to transfer personal data despite the Court of Justice of the European Union’s (CJEU) judgment in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Despite Meta Ireland’s reliance on updated Standard Contractual Clauses (SCCs) and supplementary measures approved by the European Commission, the DPC found that these arrangements failed to adequately address the risks to data subjects’ fundamental rights and freedoms, as identified by the CJEU.
The inquiry, initiated in August 2020 and temporarily stayed by order of the High Court of Ireland until 20th May 2021, underwent a comprehensive investigation. The DPC’s draft decision, prepared on 6th July 2022, revealed significant findings, including the breach of Article 46(1) GDPR and the recommendation to suspend the data transfers.
Through the cooperation procedure mandated by GDPR Article 60, the DPC submitted the draft decision to Concerned Supervisory Authorities (CSAs) from other EU/EEA countries. While the majority of CSAs supported the DPC’s decision on Meta Ireland’s non-compliance with GDPR and the proposed suspension of data transfers, a small subset of CSAs raised objections. Among them, four CSAs insisted that Meta Ireland should face an administrative fine for the infringement, and two of those CSAs also called for corrective action regarding unlawfully transferred personal data.
Despite attempts to reach a consensus through informal consultations, the DPC referred the objections to the European Data Protection Board (EDPB) for resolution using the Article 65 dispute resolution mechanism.
On 13th April 2023, the EDPB made its decision, which served as the basis for the DPC’s final verdict on 12th May 2023. The DPC exercised its corrective powers, imposing the following penalties on Meta Ireland:
- A staggering administrative fine of $1.3 billion (€1.2 billion) to sanction the infringement identified by the EDPB. This hefty fine reflects the severity of the violations committed.
- An order, pursuant to Article 58(2)(j) of the GDPR, mandating Meta Ireland to suspend all future transfers of personal data to the United States within a period of five months from the date of the DPC’s decision notification.
- An additional order, in accordance with Article 58(2)(d) of the GDPR, directing Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR. This entails ceasing unlawful processing and storage of personal data of EU/EEA users in the United States, specifically data transferred in violation of GDPR regulations, within a six-month period following the DPC’s decision notification.
The staggering fine imposed on Meta Ireland serves as a clear signal that data privacy violations will not be tolerated, and it emphasizes the EU’s commitment to safeguarding the rights and freedoms of its citizens in the digital age.