The information was presented at the European Stroke Organisation Conference
Earlier this year, the European Data Protection Board (EDPB) issued a binding dispute resolution decision regarding Meta Platforms Ireland Limited (Meta IE), the company behind Facebook. The Irish Data Protection Authority (IE DPA) conducted an inquiry into Facebook’s service and imposed a record-breaking fine of 1.2 billion euros on Meta IE. The fine was levied due to Meta’s transfers of personal data to the United States using standard contractual clauses (SCCs) since July 16, 2020. Additionally, Meta has been instructed to bring its data transfers into compliance with the General Data Protection Regulation (GDPR).
The EDPB Chair, Andrea Jelinek, emphasized the severity of Meta IE’s infringement, which involved systematic, repetitive, and continuous transfers of personal data. With millions of Facebook users in Europe, the scale of the data transfers is significant. The substantial fine serves as a strong signal to organizations that serious violations will have far-reaching consequences.
In its binding decision, the EDPB directed the IE DPA to revise its draft decision and impose a fine on Meta IE. Considering the gravity of the infringement, the EDPB determined that the fine should range between 20 per cent and 100 per cent of the applicable legal maximum. Furthermore, the EDPB instructed the IE DPA to order Meta IE to bring its processing operations into compliance with Chapter V of the GDPR, which involves ceasing the unlawful processing and storage of personal data of European users in the United States, in violation of the GDPR. Meta IE is required to accomplish this within six months after receiving the IE SA’s final decision notification.
The final decision of the IE DPA aligns with the legal assessment expressed by the EDPB in its binding decision. The EDPB’s decision was made based on Article 65(1)(a) of the GDPR after the IE DPA, as the lead supervisory authority, initiated a dispute resolution procedure in response to objections raised by several concerned supervisory authorities. These objections aimed to include an administrative fine and an additional order to ensure compliance with data processing requirements.