Meta faces $1.3bn fine following Facebook data transfer investigation

Owner and operator of social media site Facebook, Meta Platforms Ireland (Meta IE), is facing a record €1.2bn (US$1.2 bn) fine after an investigation by the Irish Data Protection Authority (IE DPA) into its data transfer practices. 

Meta has also been instructed to ensure its data transfers meet General Data Protection Regulation (GDPR) standards.

The fine, which is the largest ever GDPR fine issued ever, was imposed by the European Data Protection Board (EDPB) for Meta IE’s transfers of personal data to the US for standard contractual clauses from July 2020. According to EDPB Chair, Andrea Jelinek,

Meta IE’s GDPR infringement is “very serious” as the transfers were “systematic, repetitive and continuous” and concern a large volume of personal data.

Jelinek said of the fine: “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.” 
In a binding dispute resolution decision issued on April 13, the EDPB instructed the IE DPA to impose a fine on Meta IE. The EDPB also told the IE DPA to order Meta IE to ensure its processes are compliant with Chapter V GDPR regulations, meaning the company must cease its unlawful processing and storage of personal data of European users transferred to the US in violation of the GDPR.  

Ireland’s Data Protection Commission (DPC) has previously fined Meta IE for GDPR violations. On November 25, 2022, the DPC announced that it would be imposing a €265mn (US$275mn) fine and “a range of corrective measures” on Meta IE after an investigation into suspected data scraping on the site following a data leak that saw the personal data of 553 million Facebook users published to the internet.

As a result of the leak, the Facebook IDs, names, dates of birth, locations, bios and in some cases email addresses of the affected accounts were made publicly available via a post on the dark web.