Ireland’s Data Protection Commission (DPC) announced the conclusion of its inquiry into Meta Ireland, issuing the Facebook parent company with a €1.2 billion ($1.3 billion) fine. DPC ordered Meta to stop transferring Facebook users’ data from Europe to the US. Meta responded Monday, stating they intend to appeal the ruling. Under the ruling, Meta must “suspend any future transfer of personal data to the US” and pay a €1.2 billion fine. Meta must also “bring its processing operations into compliance with…the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data” of EU users.
The DPC pursued charges against Meta based upon article 46(1) of the General Data Protection Regulation (GDPR). The law, enacted by the EU in 2018, prevents the transfer of personal user data from the EU to a third party or international organization. The DPC also relied upon a July 2020 ruling, in which the European Court of Justice (ECJ) struck down a privacy shield agreement between the EU and the US. The DPC said that Meta failed to comply with the court’s ruling, which was meant to protect against risks to EU citizens’ fundamental rights and freedoms.
Meta argued the transference of user data from Europe to the US was necessary to facilitate their European operations. In a statement, Meta said: “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
The DPC first initiated the inquiry in August 2020. While the DPC announced the ruling on Monday, their decision was finalized on May 12. Along the way to finalizing their ruling, the DPC ran into some disagreement among the Concerned Supervisory Authorities (CSAs), the DPC’s peer regulators in the EU. To settle the disagreement over the scope of the DPC’s power to issue such a fine, both parties went before the European Data Protection Board (EDPB). The EDPB agreed with the DPC, finding that Meta committed a “very serious” infringement into EU users’ data rights. EDPB then green-lit the €1.2 billion fine against Meta. EDPB Chair Andrea Jelinek said, “The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
This is not the first time the DPC has taken on Meta. The DPC previously fined Meta Ireland for €390 million in January, €265 million in November 2022 and €17 million in March 2022–all over violations of the GDPR.
There is a five month grace period before Meta must comply with this most recent ruling, but that may be extended to a longer period of time if Meta appeals the ruling. Meta stated there would be no disruptions to their European operations, despite the announcement of the ruling.