Irish Regulator Fines Meta 1.2 Billion Euros and Orders it to Cease Data Transfers to the U.S.

On
May
22,
2023,
the
Irish
Data
Protection
Commission
(the
“DPC”)
announced
a
€1.2
billion
fine
against
Meta
Ireland
for
unlawfully
transferring
personal
data
to
the
U.S.

In
this
landmark
decision,
the
DPC
considered
that
even
though
Meta
Ireland
relied
on
the
EU
Standard
Contractual
Clauses
in
conjunction
with
additional
supplementary
measures
to
legitimize
its
data
transfers
to
the
U.S.,
these
arrangements
were
not
sufficient
to
address
the
requirements
arising
from
the
Court
of
Justice’s

Schrems
II
judgment.

In
addition
to
the
fine,
the
DPC
ordered
Meta
Ireland
to
suspend
any
future
transfers
of
personal
data
to
the
U.S.
within
five
months.
Meta
Ireland
is
also
required
to
cease
unlawful
processing,
including
storage,
in
the
U.S.
of
personal
data
of
EEA
users
transferred
in
violation
of
the
GDPR,
within
six
months.

As
a
reminder,
the
DPC’s
earlier
draft
decision
did
not
impose
a
fine
on
Meta
Ireland.
The
record
fine
arises
from
EDPB’s
Article
65
binding
decision,
after
supervisory
authorities
in
other
countries
raised
objections.

Meta
Ireland
has
stated
that
it
will
appeal
the
decision.

Read
the

DPC’s
decision
and
the

EDPB’s
Article
65
binding
decision.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts