EU Fines Meta $1.3 Billion for Violating GDPR Data Transfer Rules

The Irish Data Protection Commission (DPC) has imposed a record-breaking €1.2 billion fine ($1.3 billion) on Meta Ireland (formerly Facebook) for breaching Article 46(1) of the General Data Protection Regulation (GDPR).

The fine comes after Meta was found guilty of transferring the personal data of EU-based users to the United States, where data protection regulations were deemed inadequate to safeguard the rights of EU data subjects.

This article delves into the details of the case, the timeline of events, and Meta’s response to the fine.

Meta Found Guilty of Violating GDPR Data Transfer Rules

• Irish DPC finds Meta guilty of violating Article 46(1) of the GDPR
• Meta transferred EU users’ data to the US, where data protection regulations were inadequate
• Article 46(1) prohibits data transfers to countries lacking sufficient safeguards

Record-Breaking Fine and Suspension of Data Transfers

• DPC imposes a €1.2 billion fine on Meta Ireland, a record penalty
• DPC demands the suspension of all GDPR-violating data transfers within five months
• Meta must cease processing or holding illegally transferred data within six months

Timeline of Events Leading to the Fine

• Privacy Shield case prompts changes in international data transfers under GDPR
• Irish DPC initiates an inquiry into Meta’s data transfer activities in August 2020
• European Data Protection Board (EDPB) issues a binding decision in April 2023

Meta’s Response and Planned Appeal

• Meta emphasizes the importance of seamless cross-border data transfers for business continuity
• Standard Contractual Clauses (SCCs) used by Meta deemed compliant by CJEU
• Meta plans to appeal the ruling, claiming the fine and orders are unfair and disproportionate

The Irish DPC’s imposition of a €1.2 billion fine on Meta Ireland for violating GDPR data transfer rules sets a significant precedent for data protection enforcement in the European Union.

While Meta argues that SCCs provide legal safeguards, the DPC and EDPB maintain that the company’s data transfers to the US did not meet GDPR requirements.

Meta plans to contest the severity of the fine and orders, citing conflicts between US government rules and European privacy rights that policymakers aim to resolve with the upcoming Data Privacy Framework.