3 min read

Share this Blog

Rate this Post

The Biggest Data Protection Fine To Date – Meta Can’t Catch a Break


On the five-year anniversary of the enforcement of the EU’s General Data Protection Regulation (GDPR), Ireland’s Data Protection Commission (DPC) issued a decision punishing famous company Meta for violating the rules on the international transfer of personal data on an unprecedented scale.

Let us remind you that Meta has already been fined several times by the same authority for failing to comply with the provisions of the GDPR. The company has not yet digested the previous fine from a few months ago (their highest one at the time), which was imposed for collecting and processing data through Facebook and Instagram services for targeted advertising without proper legal ground. The new fine of 1.2 billion euro is three times higher than the previous one.

This fine even exceeds the fine imposed on Amazon by the Luxembourg National Commission for Data Protection (CNDP) back in July 2021 in the amount of 746 million euro, also for non-compliance with personal data protection regulations, making it currently the top-ranking penalty in this field.

What Meta’s Actions Were Worth a Fine of 1.2 Billion Euros?

The short answer is that Meta transferred Facebook users’ personal data from the EU to the United States without providing appropriate safeguards.

In order to detect precisely where the problem arose, it is necessary to first understand the legal framework of international data transfer. If you want to learn more about the international transfer of data, you can do that on our latest blog International transfer of data – Are you compliant?

Firstly, GDPR sets conditions for the transfer of data to third countries from the European Union. Data can be freely transferred to other countries if EU authorities have assessed that the legislation of the recipient’s country provides adequate protection. Since the United States is not on the list of countries considered to offer equal data protection as EU member states, additional conditions must be met for such transfers to take place.

The agreement previously concluded between the EU and the US known as Privacy Shield has ceased to apply because the Court of Justice of the European Union has deemed that this agreement doesn’t give enough security to the information transmitted from Europe to the US. Although the new agreement (Privacy Shield 2.0), which would provide better data protection, is expected to be adopted soon, data controllers currently cannot rely on any international agreement for their data transfers across the Atlantic.

A weaker level of data protection prescribed by the laws of a country such as the US can be compensated by contracts concluded between data controllers, processors, and/or recipients which include SCCs (Standard Contractual Clauses) and Data Transfer Impact Assessment (DTIA).

However, Meta Platforms Ireland Limited has transferred personal data in accordance with the transfer and processing agreement concluded with its US equivalent, Meta Platforms, Inc. which incorporated the European Commission’s 2021 Standard Contractual Clauses (SCCs), and it was still found to be in breach of the GDPR. The agreement between those two companies even included a Data Transfer Impact Assessment (DTIA) which determined the risks and consequences of such a transfer.

You must be wondering what exactly is wrong with this transfer of Facebook users’ data if Meta implemented the measures mentioned above.

Namely, in 2020, the European Court of Justice issued the Schrems II judgment[1] that tightened the rules of data transfer to third countries. This judgment established that SCCs are still considered good practices, but these clauses are not enough anymore. Data controllers must understand that they can’t just rely on a signed paper, but they must inform themselves of the recipient country’s degree of compliance with the GDPR.

In this case, DPC in cooperation with European Data Protection Board (EDPB) and other European Concerned Supervisory Authorities (CSA) has decided that all the efforts that Meta has done were not adequate to protect the rights and freedoms of the people whose personal data was being transferred.

In a nutshell, the supervisory authorities found that:

  • The level of protection of the US law is not equivalent to the level provided by EU law;
  • The inadequate protection provided by the US law cannot be compensated with the use of SCCs nor Meta’s measures set out in the TIA;
  • Meta did not fulfill the criteria to rely on the derogations provided in the GDPR regarding data transfer.

Consequences and Meta’s Response

In its decision, Ireland’s data protection authority has ordered Meta to:

  • Pay a fine of 1.2 billion euros for its breach of GDPR;
  • to within the period of 6 (six) months from the date on which the decision is notified to Meta bring processing operations into compliance with GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA (European Economic Area) users transferred in violation of the GDPR;
  • suspend any future transfer of personal data to the US within the period of five months starting from the date the DPC’s decision is issued to Meta Ireland.

Meta has announced in its response to DPC’s decision that the company will appeal against the decision it considers unfair and excessive. Also, Meta’s officials stated that there won’t be any immediate disruption of the provision of Facebook services in Europe. In Meta’s response, one of the main talking points was how Facebook’s case was singled out when other organizations which are providing their services on European territory are using the same legal mechanism.

Meta’s argument that many other companies also use similar measures when transferring data to third countries bears some truth. Therefore, it could be said that Meta was just the first scapegoat and that this decision serves as a warning to everyone who needs to make additional efforts to ensure that the protection of personal data is maintained at the same level even when transferred to other continents.

Although many companies operating both in Europe and the US are hopeful that the new Privacy Shield 2.0 will soon come into effect, currently it is just wishful thinking rather than a reality that one needs to align their business with.

Similar Articles

2 min read

Zunic Law


Latest Articles

Ready to get started?

If you are not sure about what the first step should be, schedule consultations with one of our experts.





Not Just Another Newsletter

Forget boring legal analysis and theory. Receive timely updates,
news and reminders that can actually help your business.