Meta given €1.2b fine for breach of the GDPR

In May 2023, Meta, the owner of Facebook, was given a record-breaking €1.2b (£1b) GDPR fine by Ireland’s Data Protection Commission (DPC).

The fine was imposed because Meta breached Article 46 of the EU GDPR by transferring personal data from Europe to the US, because although Meta implemented a number of organisational and technical measures, if the US Government was to request such data under the Foreign Intelligence Surveillance Act, Meta would be required to disclose it, and this contradicts the protections offered by the GDPR.

The ruling stems from the 2020 Schrems II case, where the European Court of Justice (ECJ) determined that Privacy Shield Framework could no longer be relied upon for GDPR compliance. Organisations transferring personal data to the US must now consider alternative measures, such as standard contractual clauses (SCCs). The DPC found that Meta’s measures did not adequately address the risks to data subjects’ rights and freedoms, resulting in the significant fine and a suspension of future data transfers to the US.

Whilst a political solution may be on the horizon, as the European Commission and the US have reached a preliminary agreement on a new Trans-Atlantic Data Privacy Framework, companies must ensure compliance with the current framework until these solutions materialise.

The EU GDPR sets a maximum fine of €20m or 4% of annual global turnover, whichever is the greater, and UK GDPR sets a maximum fine of the of £17.5m or 4% of the organisation’s global annual turnover.

Therefore, whilst this record-breaking fine is at the upper end of the extreme, it serves as a stark reminder to companies of the importance of GDPR compliance.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting with one of our legal experts.