{"id":39795,"date":"2023-06-13T09:34:54","date_gmt":"2023-06-13T07:34:54","guid":{"rendered":"https:\/\/zuniclaw.com\/the-biggest-data-protection-fine-to-date-meta-can-t-catch-a-break\/"},"modified":"2025-05-15T10:14:41","modified_gmt":"2025-05-15T08:14:41","slug":"meta-gdpr-fine","status":"publish","type":"post","link":"https:\/\/zuniclaw.com\/en\/meta-gdpr-fine\/","title":{"rendered":"The Biggest Data Protection Fine To Date \u2013 Meta Can\u2019t Catch a Break"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

On the five-year anniversary of the enforcement of the EU\u2019s General Data Protection Regulation (GDPR), Ireland\u2019s Data Protection Commission (DPC) issued a decision punishing famous company Meta for violating the rules on the international transfer of personal data on an unprecedented scale.<\/p>

Let us remind you that Meta has already been fined several times by the same authority for failing to comply with the provisions of the GDPR. The company has not yet digested the previous fine from a few months ago<\/a> (their highest one at the time), which was imposed for collecting and processing data through Facebook and Instagram services for targeted advertising without proper legal ground. The new fine of 1.2 billion euro is three times higher than the previous one.<\/p>

This fine even exceeds the fine imposed on Amazon by the Luxembourg National Commission for Data Protection (CNDP<\/a>) back in July 2021 in the amount of 746 million euro, also for non-compliance with personal data protection regulations, making it currently the top-ranking penalty in this field.<\/p><\/div><\/section>

\u00a0<\/div>

\u00a0<\/h2>

What Meta\u2019s Actions Were Worth a Fine of 1.2 Billion Euros?<\/h2><\/div>

\u00a0<\/p>

The short answer is that Meta transferred Facebook users\u2019 personal data from the EU to the United States without providing appropriate safeguards<\/a>.<\/p>

In order to detect precisely where the problem arose, it is necessary to first understand the legal framework of international data transfer. If you want to learn more about the international transfer of data, you can do that on our latest blog International transfer of data \u2013 Are you compliant?<\/p>

Firstly, GDPR sets conditions for the transfer of data to third countries from the European Union. Data can be freely transferred to other countries if EU authorities have assessed that the legislation of the recipient\u2019s country provides adequate protection. Since the United States is not on the list of countries considered to offer equal data protection as EU member states, additional conditions must be met for such transfers to take place.<\/p>

The agreement previously concluded between the EU and the US known as Privacy Shield has ceased to apply<\/a> because the Court of Justice of the European Union has deemed that this agreement doesn\u2019t give enough security to the information transmitted from Europe to the US. Although the new agreement (Privacy Shield 2.0), which would provide better data protection, is expected to be adopted soon, data controllers currently cannot rely on any international agreement for their data transfers across the Atlantic.<\/p>

A weaker level of data protection prescribed by the laws of a country such as the US can be compensated by contracts concluded between data controllers, processors, and\/or recipients which include SCCs (Standard Contractual Clauses<\/a>) and Data Transfer Impact Assessment (DTIA).<\/p>

However, Meta Platforms Ireland Limited has transferred personal data in accordance with the transfer and processing agreement concluded with its US equivalent, Meta Platforms, Inc. which incorporated the European Commission\u2019s 2021 Standard Contractual Clauses (SCCs), and it was still found to be in breach of the GDPR. The agreement between those two companies even included a Data Transfer Impact Assessment (DTIA) which determined the risks and consequences of such a transfer.<\/p>

You must be wondering what exactly is wrong with this transfer of Facebook users\u2019 data if Meta implemented the measures mentioned above.<\/p>

Namely, in 2020, the European Court of Justice issued the Schrems II judgment[1]<\/a> that tightened the rules of data transfer to third countries. This judgment established that SCCs are still considered good practices, but these clauses are not enough anymore. Data controllers must understand that they can\u2019t just rely on a signed paper, but they must inform themselves of the recipient country\u2019s degree of compliance with the GDPR.<\/p>

In this case, DPC in cooperation with the European Data Protection Board (EDPB) and other European Concerned Supervisory Authorities (CSA) has decided that all the efforts that Meta has done were not adequate to protect the rights and freedoms of the people whose personal data was being transferred.<\/p>

<\/a><\/p><\/div><\/section>

In a nutshell, the supervisory authorities found that:<\/p>