Brussels: Following the EDPBs binding dispute resolution decision of Apr 13, Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA).
This fine, which is the largest GDPR fine ever, was imposed for Metas transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020.
Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.
Andrea Jelinek, EDPB Chair, said: The EDPB found that Meta IEs infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.
In its binding decision of 13 April 2023, the EDPB instructed the IE DPA to amend its draft decision and to impose a fine on Meta IE.
Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum.
The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SAs final decision.
The IE DPAs final decision incorporates the legal assessment expressed by the EDPB in its binding decision, adopted on the basis of Art. 65(1)(a) GDPR after the IE DPA, as lead supervisory authority (LSA), had triggered a dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, CSAs issued objections aiming to include an administrative fine and/or an additional order to bring processing into compliance.
