Meta (formerly Facebook) Is Hit with an Enormous 1.2 Billion Euro Fine for Data Protection Violations

The Irish Data Protection Commission (DPC) found that Meta Platforms (formerly known as Facebook) violated the GDPR due to continuing to transfer personal information from the European Union to the United States following the Schrems II decision of the CJEU in reliance on the Standard Contractual Clauses (SCC). The fine, 1.2 billion Euros, is the largest fine imposed to date under the GDPR. The Irish Data Protection Commission also prohibited Meta from using SCC as a basis for transferring information from the EU to the United States.

The DPC found that the SCCs do not mitigate the risks to the fundamental rights and freedoms of EU data subjects, such as the possibility of US security and intelligence agencies collecting and monitoring extensive personal information of EU users on Facebook. While the decision specifically refers to Meta, it has direct implications for all information transfers from the EU to the United States.

In its initial draft decision, the DPC found that Meta violated the GDPR and, therefore, ordered Meta to cease the transfer of personal data from the EU to the United States. EU data protection authorities discussed this draft but failed to reach an agreement regarding the measures to be taken against Meta. Therefore, the DPC referred the matter to the European Data Protection Board (EDPB) to resolve the dispute.

A few weeks ago, the EDPB reached its binding decision, which instructed the DPC to impose a fine in the range of 20% to 100% of the highest fine permitted under the GDPR and to change the processing and transfer of personal data. Following the EDPB decision, The Irish Data Protection Commission decided on a 1.2 billion Euro fine. It also ordered Meta to suspend all future transfers of personal information to the United States within five months from the date of the DPC’s notification to Meta Ireland. Finally, it requires Meta to suspend the unlawful processing and storage in the United States of existing personal data within six months.

Meta plans to appeal the decision of the DPC. It also indicated that it relied on the validity of the SCCs like thousands of other companies.

Click here to read the press release of the Ireland Data Protection Commission.

Click here to read the decision of the EDPB on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR).

Click here to read the final decision of the Irish Data Protection Commission in the matter of Meta Platforms.