1.2 billion euro fine for Facebook as a result of EDPB binding decision – the largest ever GDPR fine

The National Centre for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the fine of €1.2 billion, imposed following the binding dispute resolution decision of the European Data Protection Board (EDPB), on Meta Platforms Ireland Limited (Meta IE) for serious breach of the legal provisions, stipulated in Regulation (EU) 2016/679 (GDPR). This fine, which is the largest GDPR fine to date, was imposed for personal data transfers made by Meta IE to the US under standard contractual clauses from 16 July 2020.

In its binding decision of 13 April 2023, the EDPB ordered the Irish Data Protection Authority (DPA) to amend its draft decision, imposing a fine on Meta IE (formerly Facebook Ireland Limited). Given the seriousness of the breach, the EDPB found that the starting point for calculating the fine should be between 20% and 100% of the applicable legal maximum. The Irish DPA is also required to order Meta IE to bring its processing operations into compliance with Chapter V of the GDPR by ceasing unlawful processing, including storage, in the US of European users’ personal data transferred in breach of the legal provisions of the GDPR within 6 months of notification of its final decision.

The Irish DPA’s final decision incorporates the legal assessment expressed by the EDPB in its binding decision under Article 65(1)(a) of the GDPR after the Irish DPA, as lead supervisory authority, initiated a dispute resolution procedure regarding objections raised by several supervisory authorities concerned.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasises the responsibility of personal data controllers to comply with the provisions of the legislative framework for the personal data protection and to ensure that personal data processing operations comply with the legislation in force.