Security News > 2023 > May > EU slaps Meta with $1.3 billion fine for moving data to US servers
The Irish Data Protection Commission has announced a $1.3 billion fine on Facebook after claiming that the company violated Article 46(1) of the GDPR. More specifically, it was found that Facebook transferred data of EU-based users of the platform to the United States, where data protection regulations vary per state and have been deemed inadequate to protect the rights of EU data subjects.
As a result of the infringement, the DPC imposed a record €1.2 billion fine on Facebook's parent company, Meta Ireland, and requested that all data transfers that violate the GDPR be suspended within five months of the decision.
Facebook had previously been transferring data between European countries and US under the GDPR's 2016 EU-US Privacy Shield, which allowed the storage of EU data with US companies on the Privacy Shield list.
The changes in international data transfers under GDPR were changed in the July 2020 "Schrems II" case, where CJEU judged that any transfers of personal data on the Privacy Shield Decision are illegal and stricter data control regulations need to be introduced.
In July 2022, it published a draft decision highlighting that the tech giant was breaching Article 46(1) of the GDPR. On April 13, 2023, the European Data Protection Board adopted a binding decision, instructing the DPA to impose a fine on Meta and to order it to comply with GDPR. Today, the Irish DPC imposes the $1.3 billion administrative fine reflecting EDPB's decision, punishing Meta with a penalty determined on EDPB's guidelines, given the seriousness of the infringement.
Meta has responded to the decision via a blog post, saying that seamless cross-border data transfers are of crucial importance to business continuity, and finds that the administrative fine and restriction orders will have a severe impact on its services in Europe.