GDPR: Record fine imposed on Meta

The Irish data protection authority has imposed a fine of €1.2 billion on Meta. This is the highest fine ever imposed on the basis of the GDPR. The reason is Meta’s ongoing data transfer from the EU to the USA.

Data transfer to the USA

The background of the penalty is the persistent data transfer of Metas from the EU to the USA. In this case, only the practice of Facebook was dealt with – other meta services such as WhatsApp or Instagram are accordingly not affected. The dispute began in 2013 as a result of a lawsuit filed by Austrian data protection activist Max Schrems, who felt that EU citizens’ data was not adequately protected in the U.S. following Edward Snowden’s revelations. In particular, he cited U.S. intelligence agencies’ access to the data as a problem. As a result, the EU’s highest court ruled in 2020 that the Privacy Shield agreement between the EU and the US was invalid because it did not ensure adequate protection of personal data in the US.

This means that a legal transfer of personal data from the EU to the USA is no longer possible. However, Meta has continued to transfer relevant data to the U.S. at Facebook. Since the basis for such a transfer had ceased to exist with the lapse of the Privacy Shield agreement, this constitutes a violation of the GDPR.

Record fine of €1.2 billion

The Irish data protection authority, which in the past has been noted as being rather hesitant and generally using its discretionary powers in the interests of defendant companies to prop up Irish economic policy, has now imposed a record fine. The fine of €1.2 billion is the highest ever imposed based on the GDPR.

In addition to the fine, Meta has been given some conditions. For example, the company is obliged to stop transferring data within five months. Furthermore, it must bring the data already transferred back to the EU within six months.