The European Data Protection Board (EDPB) has targeted Facebook, owned by Meta Platforms, with a record-breaking GDPR fine over data transfers.
The EDPB, a Brussels-based independent body that promotes the application of data protection rules across the EU, has imposed a record-breaking GDPR fine of 1.2 billion euros on Meta Platforms Ireland Limited (Meta IE). The announcement came on May 22, 2023, after an investigation led by the Irish Data Protection Authority (IE DPA) into Meta’s Facebook service.
This unprecedented fine, the largest ever under GDPR, was brought against Meta for transferring personal data to the U.S. using standard contractual clauses (SCCs) since July 16, 2020. In addition, Meta has been ordered to bring its data transfers into compliance with the GDPR.
EDPB Chair Andrea Jelinek commented on the severity of Meta’s violation, noting that the transfers were systematic, repetitive, and continuous. Given Facebook’s vast user base in Europe, the transfer volume of personal data is substantial. Jelinek emphasized that this hefty fine sends a strong message to organizations that serious violations come with severe consequences.
The EDPB’s binding decision on April 13, 2023, required the IE DPA to adjust its draft decision and levy a fine against Meta. Considering the severity of the violation, the EDPB recommended that the fine amount be anywhere between 20% and 100% of the maximum legal limit. Additionally, the EDPB directed the IE DPA to order Meta to ensure its processing operations comply with Chapter V of GDPR. This compliance includes ceasing the unlawful processing and storage of personal data of European users in the U.S. that were transferred in violation of the GDPR within six months following the notification of the IE DPA’s final decision.
The IE DPA’s final decision, which integrates the EDPB’s legal assessment, was formed following a dispute resolution procedure. This procedure was triggered by the IE DPA, serving as the lead supervisory authority (LSA), in response to objections raised by several concerned supervisory authorities (CSAs). These CSAs objected to the case, urging the inclusion of an administrative fine and/or an additional order to align processing with compliance.