This marks the largest GDPR fine ever issued and comes with orders for Meta to suspend EU-US data transfers within five months, though the company plans to appeal the decision.
The Irish Data Protection Commission (DPC) has fined Meta a record €1.2bn for its Facebook data transfers from the EU to the US.
This is the biggest fine issued by the DPC to date and is also the largest GDPR fine ever issued, trumping the €746m fine issued to Amazon in 2021.
The DPC has also ordered Meta Ireland to suspend future transfers of personal data to the US within five months and to bring its processing operations into GDPR compliance by “ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users” within six months.
In its decision, the DPC said Meta’s use of a legal instrument known as standard contractual clauses to transfer data “did not address the risks to the fundamental rights and freedoms” of European users of Facebook.
Concerns have been raised by EU authorities for years that data protection in the US is insufficient to be compliant with GDPR.
Meta revealed in a statement that it plans to appeal the DPC’s decision in court, including the “unjustified and unnecessary fine”.
Meta’s president of global affairs Nick Clegg and chief legal officer Jennifer Newstead said the issue is not about a single business, but about issues between the US government’s rules on access to data and European privacy rights “which policymakers are expected to resolve in the summer”.
“We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” Clegg and Newstead said.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
The DPC has issued multiple GDPR fines to Meta and its platforms over the years. Last year, the Irish data authority fined Instagram €405m for violating children’s privacy, including its publication of kids’ email addresses and phone numbers in some cases. In 2021, the DPC fined WhatsApp €225m for GDPR breaches.
John Magee, head of data protection, privacy and cybersecurity of DLA Piper Ireland said that while the latest fine is “certainly eye-catching”, the suspension order will probably “bite much harder for Meta”.
“The DPC’s decision also carries major implications for businesses across all sectors engaged in the day-to-day activity of international transfers of personal data,” Magee said.
“While global data transfers are still possible to lawfully carry out, the DPC’s decision has now raised the stakes, focussing attention on the controls that organisations need to have in place as well as forcing businesses to think about their overall data governance strategies.”
Meta has previously warned that it may have to pull Facebook and Instagram from the EU market if regulation around data transfers between Europe and the US does not come to fruition.
The DPC investigation
The DPC has been investigating Meta’s data transfers since 2020, with a gap period due to a High Court order until 20 May 2021. The Irish watchdog said it continued its investigation after this date and issued a draft decision on 6 July 2022.
The DPC said four data protection authorities in the EU raised issue with this draft decision and pushed for the fine for the GDPR infringement. Two authorities pushed for an action addressing data that has already been transferred to the US, which the DPC disagreed with.
As consensus could not be reached, the European Data Protection Board stepped in and issued an order on 13 April, which the DPC’s final decision adopted.
In January, the EDPB criticised how the DPC investigated Meta’s handling of personal data and claimed the Irish regulator did not assess the processing of sensitive data in its investigation.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.