On May 22, 2023, the Irish Data Protection Commission (the “DPC”) announced a €1.2 billion fine against Meta Ireland for unlawfully transferring personal data to the U.S.

In this landmark decision, the DPC considered that even though Meta Ireland relied on the EU Standard Contractual Clauses in conjunction with additional supplementary measures to legitimize its data transfers to the U.S., these arrangements were not sufficient to address the requirements arising from the Court of Justice’s Schrems II judgment.

In addition to the fine, the DPC ordered Meta Ireland to suspend any future transfers of personal data to the U.S. within five months. Meta Ireland is also required to cease unlawful processing, including storage, in the U.S. of personal data of EEA users transferred in violation of the GDPR, within six months.

As a reminder, the DPC’s earlier draft decision did not impose a fine on Meta Ireland. The record fine arises from EDPB’s Article 65 binding decision, after supervisory authorities in other countries raised objections.

Meta Ireland has stated that it will appeal the decision.

Read the DPC’s decision and the EDPB’s Article 65 binding decision.