Meta Looses in Court Over Potential €430 Million GDPR Fines
Meta Platforms Ireland Ltd has lost a significant legal challenge against the Irish Data Protection Commission (DPC) regarding a GDPR investigation. The case originated from a single complaint filed in 2018 by a Facebook user about access to personal data stored in a digital system called ‘Hive.’ The user argued that without access to raw data, it was impossible to verify whether Facebook held sensitive or special category data or if GDPR rights were being properly respected. Facebook refused to provide this data, leading to a formal investigation by the DPC.
The DPC’s preliminary draft decision from October 2025 indicated that Meta had infringed three articles of the GDPR. The Commission proposed corrective measures, including a reprimand, compliance orders affecting Meta’s data access practices, and administrative fines ranging from €360 million to €430 million. These measures reflect the significant impact of the data processing practices on millions of Facebook users.
Meta challenged the DPC’s authority to expand the investigation beyond the original complaint, arguing that the Commission exceeded its powers by conducting a broader inquiry into all Facebook users. However, the High Court, presided over by Ms. Justice Siobhan Phelan, rejected this argument. The court ruled that a complaint-based inquiry can lawfully address systemic issues and impose system-wide corrective actions, including fines, without converting the process into an own-volition investigation.
The judgment clarifies that the Data Protection Commission’s powers to enforce GDPR are consistent regardless of how an inquiry begins. The Commission can consider the wider impact of any identified infringement and apply corrective measures accordingly. This decision reinforces the DPC’s role in ensuring effective GDPR enforcement and highlights the potential consequences for companies that fail to comply with data protection regulations.
