Ireland: DPC fines Meta €1.2bn for unlawful data transfers

The Data Protection Commission (DPC) in Ireland has imposed a €1.2 billion fine on Meta Platforms Ireland Limited for breaches of Article 46 of the GDPR relating to the provision of the Facebook service.
The DPC’s decision follows an investigation launched in August 2020, which found that data transfers by Meta to its US counterpart, Meta Platforms, Inc. were carried out in breach of the GDPR. Despite the use of the European Commission’s 2021 Standard Contractual Clauses (SCCs), the DPC found that the measures used were not sufficient to minimise the risk to the fundamental rights and freedoms of data subjects.
It said that US law did not provide a level of protection equivalent to EU law and no SCCs could compensate for this inadequate protection. It also suggested that Meta could not rely on the exceptions in Article 49(1) of the GDPR when making international data transfers.
In response to the DPC’s decision, Meta was fined €1.2 billion. In addition, the DPC ordered Meta to cease unlawful processing, including storage, of EEA users’ personal data in the US that was transferred in breach of the GDPR and to suspend future data transfers to the US within five months of notification of the DPC’s decision.

Meta said it will appeal the DPC’s decision.