The fine is the largest ever imposed under the General Data Protection Regulation (GDPR) since it came into effect on 25 May 2018, eclipsing the previous fine of €746 million handed down to Amazon in July 2021.
The DPC’s investigation found that Meta Ireland had failed to provide adequate safeguards to protect the personal data of EU citizens in data transfers to the US. Meta Ireland had relied previously on the EU-US Privacy Shield agreement in these transfers. However, this agreement was invalidated by the Court of Justice of the European Union (CJEU) on 16 July 2020, following its judgment in DPC v Facebook Ireland Limited and Maximillian Schrems [C-311/18]. In that case, the CJEU found that the continued transfer of data by Meta Ireland from the EEA to the US, was an infringement of Article 46(1) of the GDPR. Article 46(1) of the GDPR allows transfer of personal data to a third country (non-EU) in the absence of an adequacy decision on condition that the data subject has access to appropriate safeguards on par with the protections detailed in the GDPR.
Meta Ireland had continued to facilitate data transfer from the EEA to the US by way of a Standard Contractual Clauses (SCCs), a pre-approved data protection clause that allows data controllers to comply with EU data protection obligations by ensuring that data subjects are afforded the appropriate safeguards, allowing the legal transfer of data from the EU to a third country. However, the DPC found that Meta Ireland SCCs did not address the “the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”
The initial draft decision prepared by the DPC was subject to review by its EU peers in accordance with Article 60 of the GDPR. A disagreement between the DPC and four of its EU peers, relating to the administrative fine and the DPCs view that an administrative fine would exceed the extent of the powers that could be described as “appropriate, proportionate and necessary”, led to the objections being referred to the European Data Protection Board (EDPB) pursuant to Article 65 of the GDPR.
The EDPB adopted its decision on 13 April 2023, which led to the DPC’s decision issued “on the basis of” the EDPB’s decision on 12 May 2023. This resulted in the following corrective powers being exercised:
- Meta Ireland is to suspend any future transfer of personal data to the US within five months of the date of the DPC’s notification to Meta of its decision;
- An administrative fine of €1,200,000,000; and
- An order requiring Meta Ireland to bring its data processing operations into compliance with the GDPR within six months of the date of the DPC’s notification to Meta of its decision.
Meta’s President of Global Affairs Nick Clegg has issued a statement indicating that Meta will pursue an immediate stay and will seek to appeal the fines. He also highlighted that the fine raised “serious questions” about the process which allows the EDPB to overrule a lead regulator, in this case the DPC.
Meta’s response to the DPC decision is available here.
The EDPB’s full decision is available here.
Written by: Steven Whelan and Rosie Callan
Sign up to our email digest
Click to subscribe or manage your email preferences.