Tech giant Meta is fined €1.2 billion – the largest fine ever under the GDPR

Tech giant Meta is fined €1.2 billion – the largest fine ever under the GDPR

In the same week the General Data Protection Regulation (GDPR) turned 5 years old, Facebook’s owner Meta Platforms Ireland Limited (Meta) has been hit with a record-breaking fine of €1.2 billion by the Irish data protection regulator, the largest fine to date issued under the GDPR.

The fine was issued because Facebook’s transfer of personal data of user data from the EU and EEA to the US was found to be in breach of GDPR and Meta has been ordered to stop transferring personal data of European users over to the US, within 5 months.

The GDPR sets out stringent rules around transfers of personal data to countries outside of the EEA, including the requirement to carry out a data ‘Transfer Impact Assessment’ to assess the laws of the country to which personal data is transferred. Although Meta in Ireland had entered ‘Standard Contractual Clauses’ (model clauses issued by the European Commission, to ensure the safety of personal data being transferred), the regulator found that Meta did not properly address the risks to personal data being transferred in the US with suitable ‘supplemental measures’, because the extra measures Meta relied on did not properly address the risks to the rights and freedoms of individuals.

This is a hugely complex case and Meta will be appealing this decision and we will continue to watch the developments as this staggering decision unfolds.

This case shows how extremely important it is to comply with the mandatory legal requirements around international data transfers. Businesses transferring personal data (in particular to the US) should ensure they carry out detailed risk assessments, enter into the correct legal documents and put in place correct ‘supplementary measures’ to safeguard personal data being transferred outside of the EU. See our article summarising the rules on international transfers in more detail.

This case concerns EU law and it is currently unclear as to how the UK data protection regulator will handle this decision, but please speak to our expert team if you would like guidance on this topic and the rules which apply to your business.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry