Meta Platforms Ireland Limited (“Meta”) has been fined EUR 1.2 billion for breaches of the GDPR due to lack of proper safeguards in place for transferring personal data outside the European Union (EU). The fine, imposed by the Irish Data Protection Authority (IE DPA), is the largest-ever penalty imposed under the GDPR.
Meta’s unlawful transfers of personal data to the US take place under standard contractual clauses. The fine and the order to bring data transfers into compliance with the GDPR arise from a binding decision issued by the European Data Protection Board on 13 April 2023. The decision sends an important message to other similarly situated companies whose activities involve transfers of personal data outside the EU, and sets out an obligation to ensure an adequate level of protection for the transferred data.
Meta must cease unlawful processing and storage in the US of personal data transferred in violation of the GDPR within 6 months following the date of notification of the IE DPA’s final decision.
The full text of the decision is available here:
https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf
