Meta Platforms Ireland Limited – €1,200,000,000 Fine (Ireland, 2023)

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) also do not provide sufficient protection. Meta based its data transfers on the SCCs and additional own safeguards. However, during its investigation, the DPC determined that these additional measures did not compensate for the inadequate protections provided by U.S. law. Following the investigation, the DPC submitted a draft decision to other concerned supervisory authorities pursuant to Art. 60 GDPR. In response, the DPC received objections from supervisory authorities, which led to a dispute resolution procedure before the European Data Protection Board (EDPB). In its decision, the EDPB asked the DPC to amend the proposed fine and adapt it to the seriousness of the data protection breach. The DPC also ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months, of data already transferred to the U.S. Meta has announced that it will appeal the ruling and seek a suspension of the orders in court.