Article Summary

  • Meta has been hit with a record fine of 1.2 billion euros for transferring European Facebook users’ data to the U.S.
  • The fine came as the largest issued against any company under the General Data Protection Regulation (GDPR).

The European Data Protection Board (EDPB) has fined Meta €1.2 billion for breaching the General Data Protection Regulation (GDPR). This was the largest fine ever under the European GDPR.

Meta is said to have breached conditions set out in the pan-EU regulation governing transfers of personal data to third countries without ensuring adequate protections for people’s information. The company was also ordered to stop exporting European Union user data to the US for processing in compliance with the GDPR.

Serious infringement

Announcing the sanction, EDPB’s Chairman, Andrea Jelinek, said:

  • “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”

In its binding decision earlier on April 13, 2023, the EDPB instructed the IE DPA to amend its draft decision and to impose a fine on Meta.

  • “Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision,” Jalinek added.

Last April, Meta warned investors that around 10% of its global ad revenue would be at risk if the EU data flow suspension were to be implemented. That fear has now become reality with Monday’s pronouncement by the EDPB.

What you should know

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union.

It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

Nigeria 2019 also came up with the National Data Protection Regulation (NDPR), which is fashioned after the GDPR with the aim of protecting Nigerians’ data. However, not much has been achieved with the implementation of the regulation, so there has been a clamor for a substantive data protection law.