Meta EUR 1.2 bn DPC

Category: EU-to-US data transfer / Schrems II / GDPR / Privacy Shield Company/companies: Meta Platforms Ireland (part of Meta Platforms Inc.) Years: 2020–2023 (practice after Schrems II), 22 May 2023 (fine) Status: Meta filed an appeal with the Irish High Court; the dispute is ongoing; the Data Privacy Framework (July 2023) provided a temporary fix, but Schrems III is in preparation Card ID: A07

Metadata

Field	Value
Country/region	European Union (decision by Irish DPC) vs. United States (recipient of the transfers)
Year revealed	22 May 2023 (fine announcement); Schrems II on 16 July 2020
Years the practice ran	16 July 2020 – 22 May 2023 (period of the violation after Schrems II)
Total fine	EUR 1,200,000,000
Currency	EUR
Legal basis	GDPR Art. 46(1) (transfer outside the EEA without adequate safeguards), CJEU ruling C-311/18 (Schrems II)
Whistleblower/discoverer	Max Schrems / NOYB (original complaint 2013), Edward Snowden (PRISM disclosure 2013)
Number of people affected	All Facebook users in the EEA — roughly 260 million
Status (today)	Fine paid into escrow; Meta appeal pending before the Irish High Court

TL;DR

On 22 May 2023, the Irish Data Protection Commission (DPC) imposed on Meta Platforms Ireland — Meta’s European arm — a record fine of EUR 1.2 billion, the highest in the history of the GDPR. The basis: Meta continued transferring data of Facebook users from the EEA to the United States after July 2020, when the Court of Justice of the EU struck down the Privacy Shield framework in its Schrems II (C-311/18) ruling. Meta based the transfers on Standard Contractual Clauses (SCCs) with supplementary measures, but the DPC — following a binding decision by the European Data Protection Board (EDPB) of 13 April 2023 — found those safeguards insufficient because they do not neutralize access by US intelligence agencies (FISA 702, Executive Order 12333) to data processed by Meta on servers in the United States.

A key political detail: the DPC initially did not want to impose a fine. Its 2022 draft decision contained only an order to halt transfers, with no penalty. It took the EDPB’s intervention — with a vote of other European data protection authorities — to force the fine through. This illustrates a structural tension within the GDPR: Ireland is home to most Big Tech companies in the EU (Meta, Google, Apple, LinkedIn, Microsoft, TikTok, X) and has a strong economic incentive to enforce leniently; the EDPB corrected for that.

The case is the culmination of a decade-long saga driven by Max Schrems (Schrems I — 2015, striking down Safe Harbor; Schrems II — 2020, striking down Privacy Shield). In July 2023, just weeks after the DPC decision, the European Commission adopted the EU-US Data Privacy Framework (DPF) — the third attempt at a transfer framework. Schrems immediately announced Schrems III, arguing that the DPF has the same defects as Privacy Shield. Meta appealed; as of today (April 2026) the case is still pending before the Irish High Court.

For EU citizens, this is the most systemic Big Tech case in GDPR history — it concerns not a specific breach but the fundamental contradiction between US surveillance law and European privacy law.

Timeline

June 2013 — Edward Snowden discloses the NSA’s PRISM program; the documents show direct NSA access to the servers of Facebook, Google, Apple, Microsoft and others.
26 June 2013 — Max Schrems, at the time an Austrian law student, files a complaint with the Irish DPC against Facebook Ireland, arguing that transfers to the US violate EU law in light of Snowden’s revelations.
6 October 2015 — Schrems I (CJEU case C-362/14): the Court strikes down the Safe Harbor framework (from 2000).
2016 — The European Commission negotiates and adopts the EU-US Privacy Shield as a successor to Safe Harbor.
October 2017 — Schrems files another complaint, this time also challenging the SCCs.
16 July 2020 — Schrems II (CJEU case C-311/18): the Court strikes down Privacy Shield, holding that FISA 702 and EO 12333 give US intelligence agencies disproportionate access to data, and that EU individuals lack effective remedies in US courts. SCCs remain valid but require case-by-case assessment and additional measures.
July–September 2020 — Meta states that it continues transfers on the basis of SCCs plus supplementary safeguards (transport-layer encryption, pseudonymization, audits).
10 September 2020 — The DPC opens a formal inquiry into Meta Ireland.
2021–2022 — Meta repeatedly warns in SEC filings that unless a new adequacy decision is adopted, it may shut down Facebook/Instagram in the EU. Politically this is treated as a bluff.
End of 2022 — The DPC circulates an internal draft decision without a fine, only with an order to cease transfers. This prompts outrage among other European DPAs.
January 2023 — The draft decision enters the consultation procedure with other authorities under Art. 60 GDPR.
13 April 2023 — The EDPB issues a binding decision (Binding Decision 1/2023 on the dispute submitted by the Irish SA regarding Meta Platforms Ireland Limited and its Facebook service): the DPC must impose a fine “dissuasive in the context of Meta’s turnover.”
12 May 2023 — The DPC adopts its final decision.
22 May 2023 — Public announcement of the EUR 1.2 billion fine + order to suspend transfers within 5 months + order to cease processing of EU data in the US within 6 months.
10 July 2023 — The European Commission adopts the EU-US Data Privacy Framework (DPF) — the third attempt at a transfer framework. Meta registers under the DPF, effectively neutralizing the DPC’s order.
July 2023 — Meta appeals to the Irish High Court, arguing that the fine is disproportionate and that it did not intentionally breach the GDPR.
July 2023 — Schrems / NOYB announce Schrems III — a complaint against the DPF. An inquiry is underway in the LIBE Committee of the European Parliament.
April 2026 — Meta’s appeal before the Irish High Court is still pending; the DPC ruling is not yet final.

Mechanism

How it worked — the transfer architecture

Meta Platforms Ireland (headquartered in Dublin) is the European entity responsible for processing the data of Facebook users in the EEA under the GDPR. The user data itself, however, is physically stored and processed on servers in the United States — among others at Meta’s data centers in Prineville (Oregon), Forest City (North Carolina) and Altoona (Iowa). That gives Meta’s services global infrastructure and scale.

The problem: under US law:

FISA Section 702 allows the NSA, CIA and other agencies to collect foreign communications in bulk as they pass through American infrastructure. Providers (Meta, Google, Apple, Microsoft) are required to cooperate.
Executive Order 12333 (1981, Reagan) grants intelligence services broad powers to collect information outside the United States.

People in the EU have no access to an effective remedy — they cannot challenge NSA decisions in US federal courts because the Foreign Intelligence Surveillance Court (FISC) is classified.

How Meta argued

Meta argued that using Standard Contractual Clauses (SCCs) — standard contracts between EU and US entities that require the recipient to maintain a level of protection equivalent to the GDPR — combined with “supplementary measures” such as:

transport-layer encryption (TLS)
pseudonymization in some databases
internal access audits
transparency reports disclosing law enforcement requests

was sufficient.

Why Meta’s arguments failed

In Decision 1/2023 the EDPB held that Meta’s supplementary measures cannot neutralize access by US intelligence services:

Transport-layer encryption does not help if Meta itself decrypts the data on US servers (which it does).
Pseudonymization is reversible.
Internal audits do not give EU individuals access to judicial protection.

The legal basis for the fine: GDPR Art. 46(1) — a transfer outside the EEA is permissible only if the recipient ensures “appropriate safeguards.” After Schrems II, SCCs alone are not adequate if the law of the third country neutralizes them.

Discovery

Who is Max Schrems

Maximilian Schrems (born October 10, 1987 in Salzburg, Austria; NOYB is currently headquartered in Vienna) is a lawyer and privacy activist, founder of NOYB (None Of Your Business). In 2011, as a student at the University of California in Santa Clara, he was writing a term paper on US privacy law. To research how Facebook handled personal data, he filed a data-access request with Facebook Ireland (an Art. 15 GDPR request avant la lettre). He received 1,222 pages of documents — including data he had supposedly deleted. That became the seed of his activism.

In 2013, after Snowden’s disclosures, he filed his first complaint with the DPC. In 2015 he won Schrems I. In 2018 he founded NOYB, a nonprofit funded through membership dues, national research grants and private donations. In 2020 he won Schrems II.

How the fine came about

The discovery happened in two stages. First: Snowden’s 2013 disclosures — which made the scale of US surveillance visible to the public. Second: Schrems’s decade of litigation, which produced the CJEU rulings.

The EUR 1.2 billion fine is not a classic whistleblower disclosure — it is the consequence of sustained legal and activist work.

First publications (fine announcement)

22 May 2023 — Irish DPC press release: https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland
22 May 2023 — parallel articles: Politico Europe (Mark Scott), Financial Times, NYT, WSJ, Reuters, Bloomberg
22 May 2023 — statements from the EDPB and the European Commission

Key people

Activists and whistleblowers

Maximilian Schrems — the central figure. A decade of activism. After the decision he said: “This fine is only the tip of the iceberg — all American cloud companies are in the same position as Meta. The only durable answer is reform of US intelligence law.”
NOYB — Schrems’s organization; it runs dozens of complaints against Meta, Google, Apple, TikTok and Microsoft.
Edward Snowden — not the whistleblower in this case, but without his 2013 PRISM disclosures, Schrems II would not have been possible.

Regulators

Helen Dixon — Irish Data Protection Commissioner (2014–2024); criticized for the slow pace of proceedings. Under her leadership the DPC was widely seen as too lenient toward Big Tech.
Des Hogan (Chairperson) and Dale Sunderland — Data Protection Commissioners since February 20, 2024 (after Helen Dixon). Since 2024 the DPC operates with a two-commissioner model.
Andrea Jelinek — EDPB chair until 2023; a key figure behind the binding decision 1/2023.
Anu Talus — EDPB chair since 2023.
Didier Reynders — EU Commissioner for Justice 2019–2024; architect of the Data Privacy Framework.

Key lawyers in the CJEU case

Herwig Hofmann — professor of EU law at the University of Luxembourg; legal expert for NOYB.
Monika Niedermaier, Katharina Raabe-Stuppnig — Schrems’s lawyers.

Company response

Legal proceedings

Jurisdictions

Ireland — the DPC as lead supervisory authority, the High Court on appeal
The EU as a whole — EDPB Binding Decision 1/2023
Indirectly the United States — the adequacy dispute turns on US law

Legal basis

GDPR Art. 46(1) — “A transfer of personal data to a third country or an international organization may take place only if the controller or processor has provided appropriate safeguards.”
GDPR Art. 83(5) — fines for breaches of Art. 46: up to 4% of global turnover or EUR 20 million, whichever is higher.
GDPR Art. 65 — binding EDPB decision in disputes between DPAs.

Key stages

Date	Stage
16 July 2020	Schrems II — CJEU strikes down Privacy Shield
September 2020	DPC opens inquiry
2022	DPC draft decision without a fine
13 April 2023	EDPB binding decision
22 May 2023	EUR 1.2 billion fine
July 2023	DPF; Meta appeal
To date	Case pending before the High Court

Schrems I (C-362/14, 2015) — striking down Safe Harbor
Schrems II (C-311/18, 2020) — striking down Privacy Shield
Potentially Schrems III (not yet filed with the CJEU, NOYB complaint against the DPF)
La Quadrature du Net (a line of developing case law) — legal adequacy of digital services in the context of state surveillance

Penalties and settlements

Date	Authority	Amount	Jurisdiction	Basis
22 May 2023	Irish DPC	EUR 1,200,000,000	EU	GDPR Art. 46(1)

The fine has been paid into escrow (a court deposit) pending the appeal. The DPC ruling is not yet final as of April 2026.

Additional sanctions:

Order to suspend transfers within 5 months (effectively neutralized by the DPF)
Order to cease processing of EU data in the US within 6 months (same as above)

Precedents and implications

For EU law

The largest GDPR fine in history — the previous records were Amazon’s EUR 746 million (2021) and Meta/Instagram’s EUR 405 million (2022).
Confirmation that the EDPB has real authority in disputes between DPAs — a shift in enforcement dynamics.
A structural challenge for EU digital sovereignty — it shows that as long as the main cloud providers are American, EU data is in practice accessible to US intelligence services.

For US law

An indirect driver of FISA 702 reform in Congress — the 2024 FISA 702 reauthorization included limitations, but did not fully address the EU’s concerns.
Executive Order 14086 (Biden, October 2022) introduced a Data Protection Review Court and other measures that formed the basis of the DPF.

For other jurisdictions

UK — the UK GDPR is a copy of the EU GDPR; post-Brexit the UK needs its own adequacy decision (granted in 2021, in force until 2025, currently being renegotiated).
Switzerland, Japan, South Korea — watching developments closely because they hold their own adequacy decisions.
China, Russia — use the case as an argument against the US in the cybersecurity debate.

For Big Tech practice

Onshoring infrastructure — Meta, Google and Microsoft have begun building regional data centers in the EU (Meta in Luleå, Google in Dublin, Microsoft’s recently announced facilities) under the banner of “EU cloud sovereignty.”
EU Data Boundary (Microsoft, 2024) — lets customers keep all data within the EU.
Debate over the “EuroStack” — European alternatives to AWS, Azure and GCP.

Class actions

There are no significant class actions directly tied to the EUR 1.2 billion fine. Schrems / NOYB are, however, running dozens of parallel complaints against other aspects of Meta’s operations.

Conclusions for citizens

Portal section — practical.

What does this mean for me?

If you use Facebook, Instagram, WhatsApp or any other Meta product in the EU, your data is physically processed on servers in the United States, where US intelligence agencies can access it under FISA 702 and EO 12333. The European judiciary has found this unlawful — but in practice you have no effective way of preventing it if you want to keep using those services. The DPF (July 2023) is a temporary fix that Schrems has announced he will challenge.

How to protect yourself

Prefer European providers: ProtonMail (Switzerland), Tutanota (Germany), Signal (a US nonprofit, but end-to-end), Mastodon (decentralized, EU-hosted).
Use E2E encryption wherever possible: WhatsApp (E2E, but metadata goes to the US), Signal (fully E2E).
Avoid US clouds for sensitive documents: lawyers, mediators and doctors should use European cloud providers (OVH, Hetzner, Strato) or self-hosted solutions (Nextcloud).
Check where your business is hosted: you can do this with tools like “CheckMyWebsite” or by checking the DNS. If it runs on a US-based CDN or cloud, customer data flows to the US.
A VPN with a European exit node will not necessarily help if the service itself (Meta) is in the US, but it helps against ISP tracking.

What rights do I have?

GDPR Art. 15 — the right of access: you can demand that Meta provide a list of all the data it processes about you, including information about the countries to which the data is transferred.

GDPR Art. 17 — the right to erasure.

GDPR Art. 77 — the right to lodge a complaint with a national supervisory authority (in Poland: the President of the UODO). If Meta transfers your data to the US without a valid basis, you can report this to the UODO.

GDPR Art. 82 — the right to compensation for damage resulting from a breach. In May 2024, in VB v. Natsionalna agentsia za prihodite (C-340/21), the CJEU confirmed that fear of misuse of personal data can itself amount to non-material damage giving rise to compensation.

Where to turn

Poland: the President of the UODO, uodo.gov.pl
EU: your national DPA; complaints concerning Meta are forwarded to the Irish DPC as the lead authority
NOYB: noyb.eu — supports group complaints, including from Polish citizens

A note for mediators, lawyers and business owners

The key practical lesson: if you run a practice, a company or a foundation that processes client data, think about where your cloud is. Using Google Workspace, Microsoft 365, Dropbox, Slack, Asana, Notion and the like means that your clients’ data flies to the United States. You have GDPR obligations toward those clients. If a complaint is filed with the UODO, you are the one who bears responsibility, not Google or Microsoft. Microsoft EU Data Boundary (since 2024), Google Dublin EU Sovereign Cloud, Proton for Business and Tuta Business are lawful alternatives.

If you provide legal, medical, psychological or mediation services, you have a heightened duty of care under Art. 9 GDPR (special-category data). Transferring such data to the US without the DPF or BCRs is a grave violation.

Context

Max Schrems was a student when he started his first case against Facebook Ireland. He never finished his doctoral studies — activism took so much time that he dropped the PhD. He now runs NOYB.
1,222 pages of data — that is how much Facebook sent Schrems in response to his 2011 access request. This included data he had supposedly deleted years earlier. It was the direct spark for his activism.
Meta threatened to leave the EU in SEC filings — repeatedly in 2022–2023 it wrote: “if we do not obtain an adequacy decision, we may be forced to shut down Facebook and Instagram in the EU.” Investors treated this as a bluff; in the end, the DPF arrived in time, so the threat was never tested.
The DPC initially did not want to impose a fine — this is one of the most important findings of the GDPR era. It shows that the “one-stop-shop mechanism” (a lead authority in the country of Big Tech’s headquarters), without the EDPB, would be an enforcement fiction in practice.
The EUR 1.2 billion fine is about 0.8% of Meta’s global 2022 turnover. The GDPR maximum is 4% — so the penalty was substantial but not draconian.
Edward Snowden tweeted after the decision: “This verdict is a direct consequence of documents disclosed 10 years ago. Who says information has no power?”
Poland has limited room to respond — Polish users are protected by the GDPR, but the UODO has no direct jurisdiction over Meta Ireland. It can only raise objections with the DPC through the Art. 60 GDPR mechanism.
The DPF (Data Privacy Framework, July 2023) includes a novel mechanism: a Data Protection Review Court within the US Department of Justice, where EU individuals can submit complaints about surveillance. Schrems argues that this court is not “independent within the meaning of Art. 47 of the EU Charter of Fundamental Rights.”
“Adequate countries” in the EU’s view: Andorra, Argentina, Canada (commercial entities only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Japan, New Zealand, South Korea, Switzerland, Uruguay, the United States (under the DPF). Not yet: China, India, Russia, Brazil.
The “brain drain” paradox: some commentators argued that Schrems II and the EUR 1.2 billion fine would push Big Tech out of the EU. In practice the opposite happened: Meta, Google and Microsoft began investing in EU infrastructure on a large scale.

Sources

Data Protection Commission Ireland, “Data Protection Commission announces conclusion of inquiry into Meta Ireland,” 22 May 2023. URL: https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland (accessed: 2026-04-17)
CJEU, judgment in case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), 16 July 2020. URL: https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=EN (accessed: 2026-04-17)
European Data Protection Board, “Binding Decision 1/2023 on the dispute submitted by the Irish SA regarding Meta Platforms Ireland Limited and its Facebook service,” 13 April 2023. URL: https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-12023-dispute-submitted_en (accessed: 2026-04-17)
Mark Scott, “Meta fined record EUR 1.2B over EU-US data flows,” POLITICO Europe, 22 May 2023. URL: https://www.politico.eu/article/meta-facebook-fined-record-1-2-billion-euros-over-eu-us-data-flows/ (accessed: 2026-04-17)
Meta statements on meta.com, 22 May 2023 and 10 July 2023.
European Commission, “Adequacy decision for the EU-US Data Privacy Framework,” 10 July 2023. URL: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en (accessed: 2026-04-17)
NOYB, “Schrems: 1.2 Billion Euro Fine Against Meta in EU-US Data Transfer Case,” 22 May 2023. URL: https://noyb.eu/en/schrems-12-billion-euro-fine-against-meta-eu-us-data-transfer-case (accessed: 2026-04-17)
CJEU, judgment in case C-362/14, Schrems v. Data Protection Commissioner (“Schrems I”), 6 October 2015.
Executive Order 14086 of October 7, 2022, “Enhancing Safeguards for United States Signals Intelligence Activities,” Federal Register. URL: https://www.federalregister.gov/documents/2022/10/14/2022-22531/enhancing-safeguards-for-united-states-signals-intelligence-activities (accessed: 2026-04-17)
CJEU, judgment in case C-340/21, VB v. Natsionalna agentsia za prihodite (compensation for non-material damage under the GDPR), 14 December 2023.
European Parliament, LIBE Committee hearings on the EU-US Data Privacy Framework, 2023–2024.
“The Future of Data Flows in a Post-Schrems II World” — Max Planck Institute report, 2024.

Last updated: 2026-04-17 Card in database: A07_kara_1_2mld.md