Facebook… sorry, Meta has to pay a fine of more than €1.2 billion ($1.3 billion), ruled the Data Protection Commission of Ireland.
The penalty was declared after the Data Protection Commission of Ireland concluded its inquiry into Meta Ireland, focusing on the transfer of personal data from the EU/EEA to the US for the Facebook service.
The company must halt data transfers to the US as a consequence of its handling of user information, according to the Irish regulator’s ruling against the social media network.
Additionally, Meta has been given a five-month deadline to cease transferring users’ data to the United States.
The fine imposed by the Irish Data Protection Commissioner of Ireland surpasses the previous EU privacy record of €746 million imposed on Amazon.com Inc by Luxembourg in 2021.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” EDPB Chair Andrea Jelinek said in a statement.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
Data Protection Commission of Ireland and the Facebook probe
“The DPC adopted its final decision in this inquiry on 12 May 2023. The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems,” said the DPC announcement.
The inquiry began in August 2020 and was temporarily suspended pending legal proceedings until May 20, 2021.
After an extensive investigation, the DPC issued a draft decision on July 6, 2022, concluding that the data transfers were in breach of the GDPR’s Article 46(1) and should be suspended.
In accordance with the GDPR’s cooperation procedure (Article 60), the draft decision was submitted to Concerned Supervisory Authorities (CSAs) for their input. All EU/EEA Supervisory Authorities participated as CSAs due to the nature of the processing under investigation.
The CSAs agreed with the DPC’s decision regarding Meta Ireland’s non-compliance with the GDPR and the proposal to suspend data transfers.
However, four out of the 47 CSAs raised objections regarding the DPC’s proposed corrective powers.
While all four CSAs believed that Meta Ireland should face an administrative fine, two of them also suggested that Meta Ireland should take action to address unlawfully transferred personal data from July 2020 to the present.
On April 13, 2023, the EDPB reached its decision, leading the DPC to adopt its final decision on May 12, 2023.
Data Protection Commission of Ireland and privacy penalties
Since September 2021, the Irish data watchdog has fined Meta, which owns Instagram and WhatsApp, almost €1 billion. It also regulates Apple, Google, TikTok, and other technology platforms with EU headquarters in Ireland.
In November of the previous year, the watchdog fined Meta €265 million for a breach that resulted in the exposure of details of over 500 million users online.
This penalty came shortly after a €405 million fine imposed on Meta for allowing teenagers to create Instagram accounts that publicly displayed their phone numbers and email addresses.
However, the potential suspension’s significance could be diminished if the US and EU implement a new data transfer agreement, which has already been agreed upon at a political level.
“This case relates to a historical conflict between EU and US law, which is in the process of being resolved through the new EU-US Data Privacy Framework,” A Meta spokesperson told reporters in March about the latest probe.
“We appreciate the progress made by policymakers towards ensuring the continued transfer of data across borders and await the regulator’s final decision on this matter.”