The Irish Data Protection Commission said on Monday that it has fined Meta $1.3 billion (€1.2B) for not complying with a previous court ruling by transferring users’ data to the United States.
The social media giant’s data transfers have been under investigation since 2020, and the record fine has been imposed after the DPC received orders from the European Data Protection Board.
‘’The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems,’’ the DPC said in a statement.
‘’While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.’’
In addition to the historic fine, the Irish watchdog has also ordered Meta to stop transfering users’ data to the United States within five months, and bring its operations into compliance with the Chapter V of the General Data Protection Regulation (GDPR) within six months following the date of its decision.
In a blog post, Meta’s President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead said that the company would appeal the decision, ‘’including the unjustified and unnecessary fine, and seek a stay of the orders through the courts’’.
‘’Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos’’, they said.
They added that if the new Data Privacy Framework (DPF), which was agreed by President Biden and Commission President Von der Leyen in March 2022, comes into effect before Meta’s deadlines, the social media company will be able to maintain its operations in the region ‘’without any disruption or impact on users’’.
The Irish Data Protection Commission has now fined Meta a total of €2.5 billion over violations of the General Data Protection Regulation. The company received a fine of €390 million ($414M) in January over its advertising practices on Facebook and Instagram, and was hit with another fine of €405 million ($402M) last September for mishandling children’s data.