Meta hit with R25bn fine for GDPR breach

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 22 May 2023

Facebook parent company Meta Platforms has been slapped with a 1.2 billion (R25 billion) fine for contravening the European Union’s data privacy law, the General Data Protection Regulation (GDPR).

The administrative fine was issued by the Irish-based Data Protection Commission (DPC), which acts on behalf of the EU.

In the probe, the DPC says the social media company illegally transferred the data of its EU-based users to the US in contravention with a previous court ruling.

South Africa’s equivalent of GDPR is the Protection of Personal Information Act (POPIA), although the local information watchdog is still to fine any organisations for contravening the data privacy law. POPIA came into force on 1 July 2021.

In a statement, the DPC says it adopted its final decision in the Meta inquiry on 12 May.

It says the decision records that Meta Ireland infringed Article 46(1) of the GDPR when it continued to transfer personal data from the EU or European Economic Area to the US following the delivery of the Court of Justice of the European Union’s (CJEU’s) judgement in the case of Data Protection Commissioner versus Facebook Ireland and Maximillian Schrems.

“While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment,” says the DPC.

“The inquiry was initially commenced in August 2020, and was subsequently stayed by order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022.”

Responding to the fine, Nick Clegg, Meta president for global affairs, and Jennifer Newstead, chief legal officer, say the ability for data to be transferred across borders is fundamental to how the global open internet works.

From finance and telecommunications, to critical public services like healthcare or education, the free flow of data supports many of the services that we have come to rely on, they say.

“Thousands of businesses and other organisations rely on the ability to transfer data between the EU and US in order to operate and provide services that people use every day.

“We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.”