Ireland’s Data Protection Commission (DPC) initially proposed not imposing a fine on Meta in its draft decision last summer, but was overruled by the European Data Protection Board (EDPB).

According to the DPC’s final decision, Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

Meta Ireland effected those transfers on the basis of the updated standard contractual clauses (SCCs) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland.

However, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.

As well as an administrative fine in the amount of €1.2 billion, determined by the DPC “by reference to the assessments and determinations that were included in the EDPB’s decision”, the DPC will make orders requiring Meta to suspend the data transfers for five months and bring its processing operations in compliance with the GDPR within six months.

In a joint statement, Meta’s president of global affairs Nick Clegg and chief legal officer Jennifer Newstead said Meta will take legal action to “appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines”.

They added that Meta was “disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.

Privacy campaigner Max Schrems said: “We are happy to see this decision after 10 years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for 10 years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”

He added: “This decision may lead to civil litigation against Meta in Europe. This summer the EU also implements a new ‘class action’ system, which can be used for GDPR violations.”