Meta hit with record $1.3-billion fine in EU over US data transfers

Meta given six months to stop 'the unlawful processing, including storage, in the US' of transferred personal EU data

Facebook owner Meta Platforms Inc. was hit by a record €1.2 billion ($1.3 billion) European Union privacy fine and given a deadline to stop shipping users’ data to the US after regulators said it failed to protect personal information from the American security services.

The fine imposed by Ireland’s Data Protection Commission (DPC), which regulates Meta across the EU, is a record for a breach of the bloc’s General Data Protection Regulation (GDPR).

The social network giant’s continued data transfers to the US didn’t address “the risks to the fundamental rights and freedoms” of people whose data was being transfered across the Atlantic, the Irish Data Protection Commission said on Monday.

On top of the fine, which eclipses a €746 million EU privacy penalty previously doled out to Amazon.com, Meta was given five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of transferred personal EU data.

The DPC punishment relates to a legal challenge brought by an Austrian privacy campaigner, Max Schrems, over concerns resulting from the Edward Snowden revelations that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across the Atlantic.

The ban on data transfers was widely expected and once prompted the US firm to threaten a total withdrawal from the EU. Still, the likely impact has now been muted by the transition phase and the prospect of a new EU-US data flows agreement that could already be operational by the middle of this year.

Monday’s decision is the latest round in a long—running saga that eventually saw Facebook and thousands of other companies plunged into a legal vacuum. In 2020, the EU’s top court annulled an EU-US pact regulating transatlantic data flows over fears citizens’ data wasn’t safe once it arrived on US servers.

While judges didn’t strike down an alternative tool based on contractual clauses, their doubts about American data protection quickly led to a preliminary order from the Irish authority telling Facebook it could no longer move data to the US via this other method either.

The ruling does not impact data transfers at Meta’s other main platforms, Instagram and WhatsApp. The DPC said Meta infringed GDPR by continuing to transfer EU user data to the US despite a ruling by the European court of justice requiring strong protection of that information.

‘Flawed’ decision

Meta said it would appeal the Irish decision, describing it as “flawed” and “unjustified.” The company also promised to “immediately” seek a suspension of the banning orders, saying they would cause harm to “the millions of people who use Facebook every day.”

The data-transfer curbs risk carving up the internet “into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, chief legal officer, said in a blog post.

EU regulators in December unveiled proposals to replace the previous “Privacy Shield” pact that had been torpedoed by the EU’s Court of Justice. This followed months of negotiations with the US, which yielded an executive order by President Biden and US pledges to ensure that EU citizens’ data is safe once it’s shipped across the Atlantic.