PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Meta Fined Record $1.3 Billion For Violating EU Privacy Rules

Posted on May 22, 2023June 24, 2025 by Dissent

Well, the fine was even bigger than had been anticipated. Siladitya Ray reports:

Facebook’s parent Meta has been ordered to pay a record $1.3 billion (€1.2 billion) fine by the European Union, for failing to adhere to the bloc’s stringent privacy rules, in the latest severe financial penalty handed to an American tech giant by the EU.

And in addition to the record-setting Meta has been ordered to suspend “any future transfer of personal data” to the U.S. within the next five months.”

Read more at Forbes.

The Data Protection Commission’s press release:

Data Protection Commission announces conclusion of inquiry into Meta Ireland

22nd May 2023

The Data Protection Commission (“the DPC”) has today announced the conclusion of its inquiry into Meta Platforms Ireland Limited (“Meta Ireland”), examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.

The DPC adopted its final decision in this inquiry on 12 May 2023. The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.

The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that:

1. the data transfers in question were being carried out in breach of Article 46(1) GDPR; and

2. in these circumstances, the data transfers should be suspended.

Under a cooperation procedure mandated by the GDPR (Article 60), the draft decision prepared by the DPC was submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).  The nature of the processing under examination by the inquiry was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for the purpose of the cooperation procedure.

On the question of Meta Ireland’s non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers, the CSAs agreed with the DPC’s decision.

A small number (4) of the 47 CSAs raised objections in relation to the corrective power that the DPC proposed to exercise by way of the draft decision. Within this subset of CSAs, all four CSAs took the view that Meta Ireland should be subject to an administrative fine for the infringement that was found to have occurred. Two of those CSAs also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US, i.e. the data transferred from July 2020 to the present.

The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.

Following an informal consultation process, it became clear that consensus could not be reached. Consistent with its obligations under the GDPR, the DPC referred the objections to the European Data Protection Board (“the EDPB”) for determination pursuant to the Article 65 dispute resolution mechanism.

The EDPB adopted its decision on 13 April 2023.  Consistent with its obligations to adopt its final decision “on the basis of” the EDPB’s decision, the DPC’s decision of 12 May 2023 records the exercise of the following corrective powers by the DPC:

  1. an order, made pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
  2. an administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred. The DPC determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision); and
  3. an order, made pursuant to Article 58(2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland.

The EDPB has published the Article 65 decision and the final decision on its website.

Related posts:

  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • Data Protection Commission publishes 2023 Annual Report
Category: BusinessFeatured News

Post navigation

← Charlotte FBI, Bank of America dragged into congressional dispute over Capitol riot
FTC Files Brief in Jones v. Google in Support of Appeals Court Ruling that COPPA Does Not Preempt Plaintiffs’ State Privacy Claims →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Navigating Privacy Gaps and New Legal Requirements for Companies Processing Genetic Data
  • Germany’s top court holds that police can only use spyware to investigate serious crimes
  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help

RSS Recent Posts on DataBreaches.net

  • Updating: Two Telegram channels and two accounts banned, one bounty offered, and BreachForums goes down
  • North Korean Kimsuky Hackers Suffer Data Breach as Insiders Leak Information Online
  • Hackers post stolen St. Paul data online as efforts to reset city employee passwords surge forward
  • Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations
  • NL: Hackers breach cancer screening data of almost 500,000 women
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy