DECISION SUMMARY
What happened
On 12 May 2023, Ireland's Data Protection Commission (DPC) announced a final decision imposing an administrative fine of €1.2 billion on Meta Platforms Ireland Limited, the controller of Facebook for European users. The decision concluded a long-running cross-border inquiry into the lawfulness of Meta's reliance on Standard Contractual Clauses (SCCs) to transfer personal data of EU and EEA Facebook users to Meta Platforms Inc in the United States. The DPC found that those transfers infringed Article 46(1) of the GDPR, because the supplementary measures Meta had put in place did not address the risks identified by the Court of Justice of the European Union in its July 2020 ruling in Case C-311/18 (Schrems II).
The complaint underlying the decision was originally filed by Max Schrems with the DPC in June 2013, almost ten years before the final fine was issued. The original complaint targeted Facebook's reliance on the (now-invalidated) US-EU Safe Harbour framework. Following the Court of Justice judgments in Schrems I (Case C-362/14, 2015) and Schrems II (Case C-311/18, 2020), the DPC was required to reassess the lawfulness of the transfers under successive legal frameworks. The 2023 decision focused on the post-Schrems II period, during which Meta continued to rely principally on SCCs supplemented by encryption-in-transit and contractual measures.
Under Article 60 GDPR, the DPC acted as lead supervisory authority because Meta Ireland is established in Ireland. The DPC circulated a draft decision to other concerned supervisory authorities in summer 2022. Several supervisory authorities, including the German federal regulator, the French CNIL and the Spanish AEPD, raised relevant and reasoned objections to the draft. Those objections went to the appropriateness of the fine amount, the absence of an order to suspend transfers beyond a six-month grace period, and the absence of an order to delete personal data that had already been unlawfully transferred. Because the lead and concerned authorities could not reach consensus, the matter was escalated to the European Data Protection Board (EDPB) under the Article 65 dispute-resolution mechanism.
On 13 April 2023, the EDPB adopted Binding Decision 1/2023, instructing the Irish DPC to amend its draft decision in three material respects. First, the DPC was required to add an administrative fine substantially higher than the figure in the draft. Second, the DPC was instructed to order Meta to bring its processing operations into compliance with Chapter V of the GDPR within six months by ceasing the unlawful processing, including storage in the United States, of European personal data already transferred. Third, the EDPB clarified that the period for compliance with the suspension order should not effectively legitimise ongoing unlawful transfers during the grace period. The DPC published its revised final decision on 22 May 2023, embodying the EDPB's binding instructions, with the formal fine amount set at €1.2 billion.
What the DPC found
The decision's central legal finding was that Meta's transfers infringed Article 46(1) GDPR. Article 46(1) requires that, in the absence of an adequacy decision under Article 45, a controller may only transfer personal data to a third country if it has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies are available. The Court of Justice held in Schrems II that the SCCs adopted by the European Commission remained valid in principle, but that a controller relying on them must verify, in the specific context of the transfer, whether the law of the third country provides an essentially equivalent level of protection. Where it does not, the controller must adopt supplementary measures or suspend the transfer.
The DPC accepted the EDPB's position that, in the case of US transfers governed by Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12333, the Schrems II concerns about US government access to data in transit and at rest were not addressed by Meta's contractual and technical supplementary measures. In particular, the technical measures Meta described (including encryption of data in transit and notification provisions in the SCCs) did not prevent access by US intelligence agencies operating under FISA 702 authority. The DPC concluded that Meta's transfers therefore did not have the essentially equivalent protection that Article 46 requires, and that ongoing transfers constituted a continuing infringement of Article 46(1).
The decision did not find Meta's reliance on SCCs to be procedurally defective. The clauses were validly executed, the relevant transfer-impact assessment had been conducted, and supplementary measures had been considered. The defect was substantive. As a matter of US law, the supplementary measures could not deliver the outcome the GDPR requires. That this is the same problem the Court of Justice identified in Schrems II in July 2020, and that Meta continued to transfer data on essentially the same legal basis for almost three years afterward, was treated as an aggravating factor in the Article 83(2) analysis.
Why the fine was this size
Article 83(5) GDPR provides for fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Infringements of Article 46 fall within this upper tier. Meta Platforms Inc reported total revenue of approximately US$117 billion in calendar year 2022, putting the 4% turnover ceiling for the relevant undertaking comfortably above €4 billion at typical exchange rates. The €1.2 billion fine therefore sits well below the statutory cap, in the upper range of what Article 83(2) factors would support given the nature of the infringement.
The decision walks through the ten Article 83(2) factors. The DPC and EDPB jointly treated the following as aggravating. First, the nature and gravity of the infringement: cross-border transfers to a third country with documented mass-access regimes affecting hundreds of millions of EU data subjects over many years. Second, the duration: ongoing transfers from 2020 (post-Schrems II) until the order in 2023, a period of close to three years. Third, intent: the DPC concluded that Meta acted with at least negligence in continuing transfers it knew or should have known could not be brought into compliance by the supplementary measures it adopted. Fourth, prior infringements: Meta entities have been the subject of multiple GDPR decisions since 2018, including (in Ireland) WhatsApp (€225M, 2021), Meta Ireland transparency (€390M, 2023), Instagram children's data (€405M, 2022), and Meta Ireland contractual-basis (€390M, 2023). Fifth, the categories of data: behavioural, location, contact, and inferred-interest data of Facebook users, much of it not provided directly by the data subject.
On the mitigating side, the DPC noted Meta's cooperation with the inquiry and its implementation of contractual supplementary measures (even though those measures were not, in substance, sufficient). The DPC also accepted that the legal landscape shifted materially during the inquiry, both with Schrems II in 2020 and with the EDPB's evolving guidance on supplementary measures. These mitigating factors reduced what would otherwise have been a higher percentage-of-turnover fine. The final amount, around 1% of Meta's 2022 global revenue, reflects the balance the EDPB and DPC struck.
The accompanying orders
The fine was the most visible part of the decision but not the most operationally significant. The accompanying orders required Meta to suspend any future transfer of personal data to the United States made on the contested legal basis within five months of the decision, and to bring its processing operations (including storage in the United States) into compliance with Chapter V within six months. In practice this would have required Meta to delete or repatriate the data of European users held on US-based infrastructure, a project of structural scale.
The five-month suspension deadline was effectively overtaken by events. On 10 July 2023, the European Commission adopted an adequacy decision for the new EU-US Data Privacy Framework (DPF), establishing that certified US organisations provide an adequate level of protection for transferred personal data. Meta self-certified to the DPF, which gave it a valid Article 45 transfer basis going forward. The deletion-or-repatriation question remains subject to the appeal proceedings.
Appeal status
Meta has confirmed it will appeal the decision through the Irish courts. Under section 142 of the Irish Data Protection Act 2018, an appeal lies to the High Court on the merits of the DPC decision, including the fine amount and the accompanying orders. The appeal is likely to address both the substantive question (whether Meta's pre-DPF transfers were in fact infringing) and the size of the fine (whether the Article 83(2) analysis was proportionate). The appeal process can take several years through the Irish High Court and (potentially) the Court of Appeal and the Supreme Court, and may include a preliminary reference to the Court of Justice. The Article 83(2) factors and the fine amount are subject to full review on appeal.
As of April 2026, the formal status recorded on the gdprfine.com register is under appeal. No reduction or vacation has been ordered to date. For regulator-facing comparator purposes the €1.2 billion figure remains the headline GDPR fine.
What this decision tells controllers
For practitioners, the Meta DPC decision crystallises four lessons. First, Schrems II is not a procedural problem fixable with paper supplementary measures: the analysis must be substantive, and where US surveillance law applies, contractual measures alone will not suffice. Second, the EDPB Article 65 mechanism can and will escalate fines materially above the lead authority's draft, and concerned authorities take an active role in shaping outcomes for Big Tech entities. Third, fine amounts for upper-tier infringements scale to undertaking turnover, with the €20 million absolute cap functioning as a floor rather than a ceiling for large multinationals. Fourth, the operational orders accompanying a fine can be more consequential than the fine itself: a deletion-or-repatriation order on multi-year data stores represents a far larger commercial cost than the headline fine.
For controllers reviewing their own transfer arrangements in 2026, the practical checklist is straightforward. Identify every Chapter V transfer. Map each to a mechanism (adequacy, SCCs, BCRs, derogation). For transfers under SCCs, conduct a documented transfer-impact assessment that grapples with the importer's legal environment, and adopt supplementary measures that materially change the risk (end-to-end encryption with keys held in-jurisdiction; pseudonymisation that breaks reidentification; routing changes that avoid transit through high-risk jurisdictions). Where the transfer is to a DPF-certified US recipient, document the certification and monitor for any DPF re-evaluation. Review at least annually.