EU fines Meta €1.2 billion over personal data ‘mishandling’


Global tech giant Meta has been slapped with a record €1.2 billion fine by EU data protection officers.

The fine came as the Data Protection Commission (“the DPC”) announced the conclusion of its inquiry into Meta Platforms Ireland Limited, examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.

The DPC said it adopted its final decision in its enquiry into the Facebook owner on 12 May 2023.

The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

Meta EU data failure

“While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment”, the DPC said.

The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021.

Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022.

Notably, it found that the data transfers in question were being carried out in breach of Article 46(1) GDPR; and that, in these circumstances, the data transfers should be suspended.

The DPC issued an order requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;

It also imposed administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred.

The DPC said it determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision).

Finally, it also issued an order requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta Ireland.