The umbrella company Meta which owns Facebook was fined €1.2 billion by the Irish Data Protection Authority (IE DPA). According to the European Data Protection Board (EDPB), it is the largest fine ever over GDPR breaches.
The fine was imposed because Meta was transferring the personal data of European users to the United States over standard contractual clauses since July 2020, which EDPB deemed unlawful. The company needs to discontinue the procedure within a six-month timeframe.
According to the Data Protection Commission, Meta Ireland breached Article 46 (1) of the GDPR. The article itself allows organizations to transfer data to a third country or international organizations provided there are appropriate safeguards and effective legal remedies for data subjects. The DPC concluded measures by Meta were inadequate in addressing the risks to data subjects’ rights and freedoms.
The inquiry was initiated back in August 2020 but received a green light from the Irish courts in May 2021. The DPC had time to prepare a draft of the decision, which was supported by most of the other EU/EEA members.
Andrea Jelinek, EDPB President, said the violation is “very grave since it involves transfers that are regular, frequent, and ongoing”. She also added that the unprecedented fine should warn other companies that “serious breaches have far-reaching consequences”.