Facebook’s GDPR Infringements

The General Data Protection Regulation (GDPR), enacted on May 25, 2018, safeguards the privacy and data of EU and European Economic Area (EEA) citizens. This legislation applies universally to all businesses handling the personal data of these individuals. The GDPR is built around seven fundamental principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Facebook’s GDPR Breaches

Facebook, owned by Meta, was recently fined €1.2bn by the Irish Data Protection Authority (DPA) for contravening these principles. The primary issue was Facebook’s use of Standard Contractual Clauses (SCCs) for transferring personal data to the US.

Potential Consequences of GDPR Violations

Penalties for GDPR violations range from warnings and reprimands for minor or first-time offenses to fines up to 4% of a company’s annual global turnover or €20m, whichever is higher. The DPA may also suspend data processing activities.

In Facebook’s case, the Irish DPA imposed the highest ever GDPR fine and instructed the company to align its data transfers with GDPR principles. As a significant volume of personal data from numerous European users was implicated, the violation was considered severe. The ruling could have substantial implications on Facebook’s European operations, potentially affecting its ad-targeting capabilities. Facebook was provided a five-month grace period to comply.

Return to case study