Breaking news: Meta receives largest GDPR fine to date
The results from the Irish Data Protection Commission's investigation are in and it has today been announced that Meta has been fined €1.2 billion – the largest GDPR fine to date – for failures to impose appropriate safeguards on the transfer of personal data to the US.
Meta has also been ordered to:
- suspend all transfers of personal data to the US by 12 October 2023 (five months after the date of the decision); and
- bring its processing in line within the GDPR by 12 November 2023 (six months after the date of the decision), which in practice will require Meta to terminate its existing processing activities in the US and delete or move back to the EU any European Facebook users' personal data currently stored there.
The implementation of the decision may however be stayed if Meta chooses to appeal – a likely outcome given the substantial impact this decision will have on Meta's operations.
More generally, this decision will have significant implications for all organisations that seek to rely on the European Commission's Standard Contractual Clauses as the appropriate safeguard on transfers of personal data to the US – expect companies to be distinguishing their data transfers, risk profiles, transfer mechanisms and supplementary measures from this decision. Also expect efforts to finalise the EU Commission's EU-US data transfer framework to ramp up significantly.
For further analysis on the Irish Data Protection Commission's decision, and the reactions to it, look out for our May Data Protection Bulletin.