In a landmark development, Ireland's Data Protection Commission (DPC) issued social media giant Meta a $1.3 billion/€1.2 billion fine. This is by far the largest GDPR fine to date, and the first to be over a billion dollars.
The fine is in response to Meta's unlawful processing, storage, and transfer of personal data from the EU to the U.S. through Facebook. Meta now has to cease these data transfers within six months, otherwise the company could face further legal action.
This case began in earnest in 2020 following the EU-U.S. Privacy Shield invalidation. Since then, Facebook has used standard contractual clauses, which the European Data Protection Board (EDPB) has found to be noncompliant in nature and a bit of a legal loophole. EDPB Chair Andrea Jelinek emphasized during today's announcement that this $1.3 billion fine is a warning to organizations regarding serious infringements.
Experts are already suggesting that this decision will have broader implications, potentially affecting all businesses transferring data from the EU to the U.S. It also throws into question the effectiveness of supplemental measures taken by organizations, including updated SCCs, in addressing current deficiencies in U.S. law, as America does not have federal comprehensive data protection.