Irish Data Protection Authority sanctions Meta with the largest GDPR fine to date


Yesterday it was announced that the Irish Data Protection Authority (Irish DPA) imposed a fine of EUR 1.2 billion to Meta Platforms Ireland Limited (Meta).

The sanction was applied in connection with the transfers of personal data by Meta to USA based on the standard contractual clauses (SCCs) as of 16 July 2020. Moreover, Meta was ordered to render its data transfers in compliance with GDPR requirements.

The European Data Protection Board (EDPB) was also involved in this file. Since several concerned supervisory authorities raised objections with regard to the draft decision issued by Irish DPA in its capacity of lead supervisory authority, the dispute resolution procedure under Art. 65 paragraph 1 letter (a) of GDPR has been triggered. Under this procedure, the EDPB issued a binding dispute resolution decision on 13 April 2023, whereby it instructed the Irish DPA to amend its initial draft decision. Thus, amongst others, considering the seriousness of the violation, the EDPB indicated that the starting point for the calculation of fine should be between 20% and 100% of the applicable legal maximum.

The final decision issued by the Irish DPA may be accessed in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.