The largest GDPR fine ever

The General Data Protection Regulation (GDPR), which has been in force since 2018, is known worldwide for its strict sanctions. Under this regulation, inter alia, fines of up to €20 million or 4% of the total global annual turnover can be imposed on the infringer. In 2021, the Luxembourg data protection authority CDNP fined Amazon a whopping €746 million – the highest GDPR fine ever – after the French advocacy group La Quadrature du Net took collective legal action against the American tech giant.

On 22 May 2023, Amazon was knocked out of this top spot by another major player on the technology market: Meta Platforms Ireland. On 12 May 2023, after a particularly long ordeal, Meta was fined a new record sum of €1.2 billion by the Irish Data Protection Commission. The reason for this massive fine has preoccupied the privacy world for a long time: international transfers of personal data to the United States. For more background information on this subject, see our earlier newsletter (in Dutch): (R)evolutie in doorgiften van persoonsgegevens[Evolution (and revolution) of personal data transfers].

This ruling against Meta is not an isolated phenomenon. For example, the Austrian Data Protection Authority already held in December 2021 that the use of Google Analytics contravenes the GDPR; moreover, international transfers of personal data to the United States do not comply with the regulation.

In its response to this ruling, Meta makes an interesting point. It says that the issue concerning the inadequate level of personal data protection extends beyond the confines of the Meta group. It primarily relates to the virtually unlimited access that certain US government agencies (such as the NSA and the CIA) have to data which is processed in American companies.

This defeat for Meta does not mean that Facebook, Instagram, or WhatsApp will no longer be available in the EU overnight, however. Meta has announced that it will appeal this decision. At the same time, the procedure within the European authorities for reaching a new adequacy decision concerning the United States, Privacy Shield II, is ongoing. This adequacy decision should enable companies to share personal data more easily with parties that are based in the United States.

Max Schrems and his NGO “None Of Your Business” are not sitting on their hands either. They have already announced that they will not refrain from bringing a “Schrems III” case before the Court of Justice. They will certainly do so if no substantial changes are made to the way our personal data is processed by large American tech companies, the access they could have to such data, and the uses they could make of it.

The Irish Data Protection Commission’s decision confirms a longstanding concern: the legal uncertainty surrounding international transfers of personal data outside the European Economic Area (not only to the United States). It is therefore important for companies and organizations to address these uncertainties with the greatest care and to ensure that they remain thoroughly informed regarding all the relevant issues. Your company or organization will need to evaluate its international data transfers – and thus its contacts with third parties – all over again. Doing this will require both operational and legal efforts.

This intense fight will undoubtedly continue to affect the interests of the pro-privacy community for the foreseeable future. We are continuously monitoring the latest developments concerning international transfers of personal data and all data protection rules. You will receive updates about all of this in future newsletters.


If you have any legal questions about international transfers of personal data, the GDPR sanction rules, or privacy and data protection, please get in touch with our Privacy & Data Protection Team.

Authors: Kristof Zadora, Dylan Verhulst & Alexander Broux

This article is written by

Looking for advice on a specific topic?

We will guide you to the right person or team.