EU data protection authorities fine Meta 1.2 billion, data transfer to the U.S. banned

[German]The European Data Protection Board (EDPB) has imposed a record fine of 1.3 billion euros on Facebook parent Meta. The reason was the transfer of personal data of European users to the US without their consent – which was considered a GDPR violation.


Highest GDPR fine of the EU so far

The fine against Meta Platforms Ireland Limited (Meta IE) was imposed following the EDPB's binding dispute resolution decision of April 13, 2023. The €1.2 billion fine is the largest GDPR fine ever imposed and relates to transfers of personal data to the U.S. based on Meta's standard contractual clauses (SCC), which have been in place since July 16, 2020. In addition, Meta has been ordered by the EU data protection regulator to bring its data transfers in line with the GDPR.Andrea Jelinek, EDPB chair, is quoted in a statement as saying, "The EDPS has found that Meta IE's breach is very serious, as it involves systematic, repeated and continuous transfers. Facebook has millions of users in Europe, so the volume of personal data transferred is enormous. The unprecedented fine sends a strong signal to companies that serious breaches have far-reaching consequences."

Decision of Irish data protection authority corrected

In its binding decision of April 13, 2023, the European Data Protection Board (EDPS) instructed the Data Protection Authority of Ireland to amend its draft decision and impose a fine on Meta IE. Given the seriousness of the breach, the EDPS found that the starting point for calculating the fine should be between 20% and 100% of the applicable statutory maximum.

The EDPS also instructed the UK DPA to order Meta IE to bring the processing operations into compliance with Chapter V of the GDPR by ceasing, within six months of the notification of the final decision of the UK DPA, the unlawful processing, including storage, of the personal data of European users in the US transferred in breach of the GDPR.

The DPA's final decision incorporates the legal assessment made by the European Data Protection Board in its binding decision based on Article 65(1)(a) of the GDPR after the Irish DPA, as lead supervisory authority (LSA), initiated dispute resolution proceedings regarding objections raised by several concerned supervisory authorities (CSAs). Among other things, the supervisory authorities raised objections seeking to impose a fine and/or an additional order to bring the processing into compliance with the GDPR.

DLF also writes that Meta must stop any further transfer of European personal data to the United States. The reasoning: The company remains subject to U.S. surveillance laws. The U.S. company sees the fine as unjustified and announced it would appeal the ruling.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *