Meta Platforms fined €1.2 billion by EU regulator for unlawful data transfers to US.
Meta Platforms, the parent company of Facebook, has been hit with a record-breaking €1.2 billion ($1.3 billion) fine by the European Union (EU) for its mishandling of user data and ongoing transfer of data to the United States. The Irish Data Protection Commissioner (DPC), acting as the lead EU privacy regulator, imposed the fine after the company continued to transfer data despite a 2020 EU court ruling that invalidated an EU-U.S. data transfer pact. The penalty surpasses the previous EU privacy fine record of €746 million imposed on Amazon.com Inc in 2021.
The dispute surrounding Meta’s data storage practices began a decade ago when Austrian privacy campaigner Max Schrems raised concerns about the risk of U.S. surveillance following revelations by whistleblower Edward Snowden. Meta expressed its intention to appeal the ruling, emphasising that the fine sets a dangerous precedent for other companies and vowing to seek a stay on the suspension orders through the courts. The company also reiterated its expectation that a new agreement facilitating the safe transfer of EU citizens’ personal data to the United States would be fully implemented before it has to suspend transfers.
Impact on EU-U.S. Data Transfers
The fine and suspension order from the DPC pose significant challenges for EU-U.S. data transfers. The European Court of Justice had previously invalidated two data transfer agreements due to concerns about U.S. surveillance practices. Meta’s reliance on standard contractual clauses (SCCs) for data transfers has been deemed insufficient by the DPC and the European Data Protection Board (EDPB). Meta’s hope that a new privacy framework will resolve the issue remains uncertain, as EU lawmakers have called for improvements to the proposed agreement.
Penalties and Compliance Requirements
The DPC has fined Meta a total of €2.5 billion for breaches under the General Data Protection Regulation (GDPR), the EU’s data protection legislation introduced in 2018. Alongside the fine, Meta has been given five months to cease transferring European user data to the U.S. and six months to bring its data processing practices into compliance with GDPR. Compliance requires the cessation of unlawful processing, including storage, of European users’ personal data in the U.S. Failure to comply may result in a suspension of Meta’s services in Europe.
Meta faces significant challenges in complying with the suspension order, particularly regarding the deletion of vast amounts of user data. The company’s reliance on U.S.-based data centres and the potential need to revamp its operations further complicate the situation. The decision raises concerns about data sovereignty, privacy protection, and the future of EU-U.S. data transfers. The European Parliament has criticised the new privacy pact, indicating the potential for further legal scrutiny and uncertainty.
Meta Platforms’ record-breaking fine and suspension order underscore the ongoing challenges and tensions surrounding data transfers between the EU and the U.S. The decision by the Irish DPC reflects the EU’s commitment to protecting user privacy and data sovereignty. The outcome of Meta’s appeal and the development of a new privacy framework will have far-reaching implications for data transfers and the operations of tech giants operating within the EU.