Meta fined €1.2bn in data transfer case

The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (Meta Ireland) for €1.2 billion , for transferring personal data from the EU/EEA to the US for the provision of its Facebook service.
The DPC finalized its decision on May 12, 2023, finding that Meta Ireland breached Article 46(1) of the General Data Protection Regulation (GDPR) by continuing to transfer personal data from the EU/EEA to the USA following the judgment of the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Despite Meta Ireland's use of the updated Standard Contractual Clauses (SCCs) and supplementary measures, the DPC determined that these arrangements did not adequately address the risks to the fundamental rights and freedoms of data subjects identified by the CJEU.
The inquiry was initiated in August 2020 and subsequently stayed by the High Court of Ireland until May 20, 2021, pending the resolution of legal proceedings. After conducting a thorough investigation, the DPC drafted a decision on July 6, 2022, which concluded that:
1. The data transfers in question violated Article 46(1) of the GDPR.
2. In light of these circumstances, the data transfers should be suspended.
In accordance with the cooperation procedure mandated by the GDPR (Article 60), the DPC submitted the draft decision to its peer regulators, also known as Concerned Supervisory Authorities (CSAs), within the EU/EEA. Given the nature of the processing under investigation, all other EU/EEA Supervisory Authorities participated as CSAs in the cooperation procedure.
Regarding Meta Ireland's non-compliance with the GDPR and the DPC's proposal to suspend the data transfers, the CSAs supported the DPC's decision. However, a small subset of four out of 47 CSAs raised objections concerning the corrective power proposed by the DPC in the draft decision. All four CSAs believed that Meta Ireland should face an administrative fine for the infringement identified. Additionally, two of those CSAs suggested that Meta Ireland should be compelled to address the personal data that had already been unlawfully transferred to the US, covering the period from July 2020 to the present.
Disagreeing with the suggested additional corrective measures, the DPC argued that exercising such powers would exceed the bounds of what could be considered "appropriate, proportionate, and necessary" to address the breach of Article 46(1) of the GDPR.
As consensus could not be reached during the informal consultation process, the DPC fulfilled its obligations under the GDPR by referring the objections to the European Data Protection Board (EDPB) for determination through the Article 65 dispute resolution mechanism.