Meta hit with record $1.3 billion fine over personal data transfer

Facebook owner transferred EU user data to the US in breach of court ruling

Meta's headquarters in Dublin. The Facebook owner said it would appeal against the 'unjustified and unnecessary' penalty. Getty
Powered by automated translation

Meta has been fined a record €1.2 billion ($1.3 billion) for transferring EU user data to the US in breach of a previous court ruling.

Ireland's regulator, the Data Protection Commission, which acts on behalf of the EU, said the European Data Protection Board had ordered it to collect “an administrative fine in the amount of €1.2 billion”.

The DPC has been investigating Meta Ireland's transfer of personal data from the EU to the US since 2020.

It found that Meta, which has its European headquarters in Dublin, failed to “address the risks to the fundamental rights and freedoms of data subjects” that were identified in a previous ruling by the Court of Justice of the European Union.

The court interprets EU law to make sure it is applied in the same way in all member states.

Facebook owner Meta said it would appeal against the “unjustified and unnecessary” penalty.

It called the decision “flawed” and promised to “immediately” seek a suspension of the banning orders, saying they would cause harm to “the millions of people who use Facebook every day”.

The decision is yet another twist in a legal battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations of electronic surveillance by US security agencies.

That included the disclosure that Facebook gave the agencies access to the personal data of Europeans.

An agreement covering EU-US data transfers known as the Privacy Shield was struck down in 2020 by the EU's top court, which said it did not do enough to protect residents from the US government's electronic prying.

Monday's decision confirmed that another tool to govern data transfers – stock legal contracts – was also invalid.

In December, EU regulators unveiled proposals to replace the previous Privacy Shield pact that had been invalidated by the European Court of Justice.

This followed months of negotiations with the US, which yielded an executive order by President Joe Biden and US pledges to ensure EU citizens’ data was safe on the other side of the Atlantic.

On Monday it was decided that Meta's continued data transfers to the US did not address “the risks to the fundamental rights and freedoms” of people whose data was being transferred across the Atlantic.

Facebook’s owner was also given a deadline to stop shifting users’ data to the US after regulators said the company had failed to protect personal information from American security services.

The Irish Data Protection Commission said the company had been given five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of personal data transferred from the EU.

Meta last month said it expected that a new agreement to enable the safe transfer of EU citizens' data to the US would be struck before it had to suspend transfers.

In such an event, a previous warning that a stoppage could force Meta to suspend Facebook services in Europe would not come to pass.

The European Commission said on Monday it expects to finalise a data transfer pact with the United States by the summer.

“We expect this data protection framework between the EU and the US to be fully functionable by the summer. This will guarantee stability and legal certainty,” a commission spokesman told a daily news conference.

Mr Schrems welcomed the decision.

“Ever since Edward Snowden's revelations on US big tech aiding the [NSA] mass surveillance apparatus, Facebook [now Meta] was subject to litigation in Ireland,” said his organisation, the European Centre for Digital Rights.

But Mr Schrems said far harsher sanctions could have been used as Meta had “knowingly broken the law to make a profit”.

“It took us 10 years of litigation against the Irish DPC to get to this result … and risked millions of procedural costs,” he added.

“The Irish regulator has done everything to avoid this decision,” he added.

On Monday, Meta said the data transfer restrictions threatened users' access to shared service from different parts of the world.

They could carve up the internet “into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on”, Nick Clegg, the company's president of global affairs, and Jennifer Newstead, chief legal officer, said in a blog post.

The Meta fine coincides with the fifth anniversary of the EU’s General Data Protection Regulation, seen widely as the world’s benchmark for privacy.

Since May 2018, regulators in the 27-nation EU have had the power to impose fines of as much as 4 per cent of a company’s annual revenue for the most serious offences.

The Irish watchdog became the lead privacy regulator for some of the biggest tech firms with an EU base in the country, such as Meta and Apple.

It has fined Meta more than any other tech firm and has 10 other inquiries open into the social media group's platforms.

EU regulators have hit Meta with four fines in six months – and three this year – over data breaches by its Instagram, WhatsApp and Facebook services.

In January, the DPC fined the social media giant €390 million for breaking data rules in its use of targeted advertising on its apps.

In March, Meta was made to pay €5.5 million for breaching the GDPR with its WhatsApp messaging service.

Monday's fine eclipses the €746 million previously imposed on Amazon.

Updated: May 22, 2023, 2:01 PM