U.S tech giant Meta has been hit with a record €1.2 billion fine for not complying with the EU’s privacy rulebook.
The Irish Data Protection Commission announced on Monday that Meta violated the General Data Protection Regulation (GDPR) when it shuttled troves of personal data of European Facebook users to the United States without sufficiently protecting them from Washington’s data surveillance practices.
It’s the largest fine imposed under the bloc’s flagship General Data Protection Regulation (GDPR) privacy law and it comes on the eve of the fifth anniversary of the law’s enforcement on May 25.
Amazon was previously fined €746 million by Luxembourg and the Irish regulator also imposed four fines against Meta’s platforms Facebook, Instagram and WhatsApp ranging between €405 million and €225 million in the past two years.
The Irish privacy watchdog said that Meta’s use of a legal instrument known as standard contractual clauses (SCCs) to move data to the U.S. “did not address the risks to the fundamental rights and freedoms” of Facebook’s European users raised by a landmark ruling from the EU’s top court.
The European Court of Justice in 2020 struck down an EU-U.S. data flows agreement known as the Privacy Shield over fears of U.S. intelligence services’ surveillance practices. In the same judgment, the top EU court also tightened requirements to use SCCs, another legal tool widely used by companies to transfer personal data to the U.S.
Meta — as well as other international companies — kept relying on the legal instrument as European and U.S. officials struggled to put together a new data flows arrangement and the U.S. tech giant lacked other legal mechanisms to transfer its personal data.
The EU and U.S. are finalizing a new data flow deal that could come as early as July and as late as October. Meta has until October 12 to stop relying on SCCs for their transfers.
The U.S. tech giant previously warned that if it would be forced to stop using SCCs without a proper alternative data flow agreement in place, it could shut down services like Facebook and Instagram in Europe.
Meta also has until November 12 to delete or move back to the EU the personal data of European Facebook users transferred and stored in the U.S. since 2020 and until a new EU-U.S. deal is reached. However, it’s unlikely the tech firm will have to delete or move data as European and U.S. negotiators are expected to finalize the new deal before early November.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Meta’s President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead said in a statement on Monday.
Clegg and Newstead said the company will appeal the decision and seek a stay with the courts to pause the implementation deadlines. “There is no immediate disruption to Facebook because the decision includes implementation periods that run until later this year,” they added.
Max Schrems, the privacy activist behind the original 2013 complaint supporting the case, said: “We are happy to see this decision after ten years of litigation … Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
The Irish Data Protection Commission said it disagreed with the fine and measure that it was imposing on Meta but had been forced by the pan-European network of national regulators, the European Data Protection Board (EDPB), after Dublin’s initial decision was challenged by four of its peer regulators in Europe, from Germany, France, Spain and Austria.
According to internal discussions released on Monday, the Irish regulator earlier this year vehemently argued against imposing a financial penalty on the social media giant, saying that such a decision would be disproportionate for the alleged privacy abuses. Dublin also argued any such fine against Meta could be viewed as discriminatory since U.S. tech firm Google had not faces similar penalties for other transatlantic data protection cases.
But Ireland was overruled by other European regulators. In a stinging rebuke, the pan-EU body of privacy regulators EDPB said it took the view that “Meta committed the infringement at least with the highest degree of negligence,” the discussions released Monday showed, arguing in favor of a fine. The EDPB backed claims from the four EU privacy regulators that Meta should also be forced to delete historical European data affected by the decision.
This article was updated to include comments from Meta and Max Schrems and to add details about the decision.