Meta Ireland – €1,200,000,000 Fine (Ireland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Meta Ireland was fined EUR 1.2 billion by the Irish Data Protection Commission for transferring personal data to the U.S. without adequate protection. The transfers did not meet GDPR standards due to insufficient safeguards against U.S. intelligence access. This case is a major development in the ongoing scrutiny of transatlantic data transfers.
What happened
Meta Ireland transferred personal data to the U.S. without adequate protection, violating GDPR standards.
Who was affected
The affected individuals were users whose personal data was transferred from the EU to the U.S. by Meta Ireland.
What the authority found
The Irish authority determined that Meta Ireland's data transfers lacked sufficient safeguards against U.S. intelligence access, breaching GDPR requirements.
Why this matters
This landmark fine underscores the challenges of international data transfers and the need for robust safeguards. Companies should reassess their data transfer mechanisms to ensure compliance with GDPR.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In the aftermath of the Schrems I and II judgements ([https://curia.europa.eu/juris/liste.jsf?num=C-362/14 C-362/14] and [https://curia.europa.eu/juris/liste.jsf?num=C-311/18 C-311/18]), the Irish DPA started an ex office procedure into the issue of Meta Platforms Ireland Ltd. (Meta Ireland) transferring personal data to Meta Platforms Inc. (Meta U.S.) in violation of Chapter V of the GDPR. Meta Ireland had been transferring personal data to the U.S. despite the lack of a valid adequacy decision under Article 45 GDPR (as both “safe harbor” and its successor “privacy shield” were invalidated by the CJEU in Schrems I and II). While negotiation of a new adequacy decision for EU-U.S. data transfers are ongoing, Meta Ireland claimed to have undertaken data transfers on the basis of standard contractual clauses adopted by the Commission under Article 46(2)(c) GDPR even before the CJEU passed the Schrems II decision. First, the Irish DPA ascertained whether US law guaranteed an essentially equivalent level of protection of data protection rights in light of Schrems II. This was excluded by the supervisory authority, especially due to the lack of effective judicial remedies against the violation of data subjects’ fundamental rights by U.S. intelligence agencies and due to the lack of limitations imposed on the latters’ investigation powers. The latest developments in U.S. law (which are supposed to ensure a higher level of protection for data transferred to the U.S.) were deemed insufficient by the Irish DPA, especially since some of the promised reforms have not yet been implemented. Second, the Irish DPA found that Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR invoked by Meta Ireland could not compensate for the lack of an equivalent level of data protection. In particular, SCCs did not (and could not) address the activity of U.S. intelligence agencies or the lack of judicial remedies against such activity. Third, the supervisory authority cons
Related Enforcement Actions (0)
No other enforcement actions found for Meta Ireland in IE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 May 2023
Authority
Data Protection Commission
Fine Amount
€1,200,000,000
GDPRhub ID
gdprhub-5944About this data
Cite as: Cookie Fines. Meta Ireland - Ireland (2023). Retrieved from cookiefines.eu
Last updated: