Meta loses Irish High Court challenge over potential €430m fine

Meta has lost its High Court challenge in Ireland against a draft decision by the Irish Data Protection Commission (DPC), which could result in a fine of up to €430 million and an order requiring system-wide corrective measures. In a 98-page judgment, Ms Justice Siobhán Phelan rejected all grounds of Meta's case, dismissing claims that the DPC had exceeded its statutory powers.

The legal proceedings stemmed from an October 2025 draft DPC decision, based on an investigation into a single data protection complaint filed by a Facebook user in July 2018. The user requested access to his personal data stored in a digital warehouse called Hive. Although Meta provided online tools to download the information, the complainant argued that additional personal data had been left unsent.

Following an investigation into violations of Articles 12, 15, and 20 of the EU General Data Protection Regulation (GDPR), the DPC signalled that it would order corrective measures and impose administrative fines ranging between €360 million and €430 million due to the significant impact of Meta's practices on millions of users.

Meta challenged the draft decision, arguing that the regulator had unlawfully expanded a complaint-based inquiry into a broader, own-volition investigation. The tech company claimed that systemic issues could only be addressed through separate, self-initiated regulatory inquiries. The DPC counter-argued that the legal challenge was premature and maintained that it was obliged to consider systemic effects when determining appropriate remedies for proven infringements.

The judge ruled that Meta's interpretation of the architecture of the GDPR and the [Irish] Data Protection Act 2018 was not legally sound. She determined that regulatory frameworks do not differentiate between complaint-based and own-volition inquiries regarding the extent of investigative or corrective powers available. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.