Meta looks set to receive record GDPR fine from the DPC

18 May 2023

Image: © MichaelVi/

Ireland’s data authority will reportedly give its biggest ever GDPR fine next week and block Facebook’s legal tool for EU-US data transfers.

Ireland’s Data Protection Commission (DPC) is reportedly preparing to dish out a record GDPR fine to Meta over its data transfers from the EU to the US.

This penalty will be revealed on Monday 22 May and is expected to be larger than the €746m GDPR fine Amazon received in 2021, according to sources speaking with Politico. Sources also told Bloomberg and Reuters that the DPC is preparing to issue the record fine to Meta.

The issue is around the legality of Meta’s data transfers to the US for Facebook. Concerns have been raised by EU authorities for years that data protection in the US is insufficient to be compliant with GDPR.

As a result, it is also likely that the DPC will issue an order blocking a legal instrument used by Facebook to transfer EU data flows to the US, Reuters reports.

A draft decision was already issued by Ireland’s data authority earlier this year, but objections were raised by several other data authorities in Europe.

As a result, the European Data Protection Board (EDPB) stepped in last month and issued a binding decision on the matter, giving the DPC one month to make an order on Meta’s data transfers.

Last month, data protection commissioner Helen Dixon said other regulators didn’t dispute her order to ban the data transfer mechanism, Reuters reported.

The EDPB said its binding decision settled a dispute on whether an administrative fine and/or an additional order to bring processing into compliance should be included in the DPC’s final decision.

The EDPB previously criticised how the DPC investigated Meta’s handling of personal data and claimed the Irish regulator did not assess the processing of sensitive data in its investigation.

The DPC has given out some of the biggest GDPR fines to date. Last year, the Irish data authority fined Instagram €405m for violating children’s privacy, including its publication of kids’ email addresses and phone numbers in some cases. In 2021, the DPC fined WhatsApp €225m for GDPR breaches.

The road to safe data transfers

Meta has previously warned that it may have to pull Facebook and Instagram from the EU market if regulation around data transfers between Europe and the US does not come to fruition.

The EU is currently in the process of approving a new framework for safe data transfers with the US. This followed an executive order by US president Joe Biden last October showing the steps the US will take to implement its commitments under the EU-US Data Privacy Framework (DPF).

The DPF is a joint effort by the EU and the US to balance both bodies’ reliance on cross-border and transatlantic data flows for economic purposes with citizens’ privacy and civil liberties. It is estimated that this new framework could be ready by July.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic