The Irish Data Protection Commission ("Commission") concluded its investigation into Meta Ireland on May 22, 2023. The Commission has imposed a $1.2 billion administrative fine on Meta Ireland. This is the highest administrative fine imposed in the field of data protection.

What Does the Commission Decision Say?

The Commission makes the following findings regarding Meta Ireland's activities in the field of data protection:

• Meta Ireland continued to transfer data to Meta USA, which is located outside the European Union, despite the Court of Justice of the European Union ("CJEU") decision in Facebook Ireland Limited v Maximillian Screms in 2020, and this transfer was found to be contrary to Article 46 of the General Data Protection Regulation ("Regulation") on Transfers Subject to Appropriate Safeguards.
• While Meta Ireland carries out this transfer in accordance with the updated standard contractual clauses approved by the European Commission, it failed to address the risks to the fundamental rights and freedoms of data subjects, as highlighted in the CJEU ruling.

Who Is to be Affected and How?

This decision by the Commission is particularly relevant to companies engaged in international data transfers. Although standard contractual clauses are being adopted, this is not enough to transfer the personal data of data subjects abroad. In addition to the standard contractual clauses, the transfer should be carried out by the data controllers after evaluating the risks to the fundamental rights and freedoms of the data subjects.

Sanctions

The Commission has suspended the data transfers by Meta to the United States for a period of five months from the notification of the decision to Meta Ireland under Article 58 of the GDPR. In addition to this suspension measure, the Commission has also ordered Meta Ireland to bring its data processing activities into compliance with the provisions on transfers in the decision and the Regulation within six months. Alongside these instructions, the Commission has also imposed a €1.2 billion administrative fine on Meta Ireland for unlawful data transfers. This is the highest administrative fine ever imposed under the Regulation in the area of data protection, overturning the previous fine of €746 million imposed on Amazon in 2021.

As a Summary

This high administrative fine given to Meta Ireland; underlines that it is not sufficient to only agree on standard contractual clauses for data transfers to be made abroad, and the necessity of managing the risks to the fundamental rights and freedoms of data owners, which are at the core of data protection legislation. Particularly, the global giant companies that serve as social media platforms should revisit all their activities related to data protection after this decision, to avoid potential large administrative fines and other sanctions in the future, and to prevent damage to their corporate reputations.