Meta has received a record-breaking fine of 1.2 billion euros ($1.3 billion) from European privacy regulators due to the transfer of European Union (EU) user data to the United States (US).
The decision stems from a case initiated by Austrian privacy activist Max Schrems, who argued that the existing framework for transferring EU citizen data to the US did not adequately protect Europeans from US surveillance.
There have been several legal disputes surrounding mechanisms for transferring personal data between the US and the EU. The most recent arrangement, known as Privacy Shield, was invalidated by the European Court of Justice in 2020, which is the highest court in the EU.
The Irish Data Protection Commission, responsible for overseeing Meta’s operations in the EU, accused the company of violating the General Data Protection Regulation (GDPR) of the EU. Despite the 2020 ruling by the European court, Meta continued to transfer the personal data of EU citizens to the US. GDPR is a significant data protection regulation that governs companies operating within the EU, and it has been in effect since 2018.
Meta utilized a mechanism called standard contractual clauses to facilitate the transfer of personal data between the EU and the US. This method had not been blocked by any EU court. However, the Irish data regulator stated that these clauses, along with other measures implemented by Meta in conjunction with the European Commission, did not adequately address the risks to the fundamental rights and freedoms of data subjects as highlighted by the European Court of Justice.
The Irish Data Protection Commission also instructed Meta to halt any future transfer of personal data to the US within a five-month period following the decision.
The 1.2 billion euro fine imposed on Meta is the largest ever penalty issued for breaching GDPR. Previously, the highest fine of 746 million euros had been levied against e-commerce giant Amazon for GDPR violations in 2021.
Meta has announced its intention to appeal the decision and the fine. In a blog post on Monday, Meta’s President of Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead, stated that they would seek a stay from the courts to pause the implementation deadlines due to the potential harm caused by the orders, particularly to the millions of Facebook users.
This case involving Meta has once again brought attention to the efforts of the EU and Washington to establish a new data transfer mechanism. Although the US and EU reached a preliminary agreement on a new framework for cross-border data transfers last year, it has not yet come into effect.
Meta is hopeful that the EU-US data privacy agreement will be established before the Irish regulator’s deadlines take effect. If the new framework is implemented within the expiration of the implementation deadlines, Meta’s services can continue without disruption or impact on users, as stated by Clegg and Newstead.
