The fine imposed by Ireland’s privacy regulator sets a new record for violating EU data protection regulations
Meta, the owner of Facebook, has received a historic fine of €1.2bn (£1bn) and has been instructed to halt the transfer of user data from the EU to the US. The fine, amounting to $1.3bn, was imposed by the Data Protection Commission (DPC) of Ireland, the regulatory authority overseeing Meta within the EU. This penalty sets a new precedent for breaching the General Data Protection Regulation (GDPR) of the European bloc. The suspension of data transfers by Facebook is not immediate, as Meta has been given a timeframe of five months to implement this measure.
The penalty imposed by the DPC is associated with a legal dispute initiated by Max Schrems, an Austrian privacy advocate. The concerns arose from the Edward Snowden disclosures, which indicated that the data of European users is inadequately safeguarded from US intelligence agencies during transatlantic transfers.
Meta has been granted a six-month period to cease the “unlawful processing and storage in the US” of personal data belonging to EU individuals that has already been transferred across the Atlantic. Consequently, user data will need to be removed from Facebook servers. However, this ruling does not impact data transfers on Meta’s other major platforms, namely Instagram and WhatsApp. Meta has announced its intention to appeal the decision and seek a suspension on the data transfer order. The DPC found that Meta violated GDPR by persisting in transferring EU user data to the US without adequate safeguards, disregarding a 2020 judgment by the Court of Justice of the European Union (CJEU) that necessitated robust protection of such information. The CJEU ruling mandates that data leaving the EU must receive the same level of protection as it would under GDPR when it reaches destinations outside the EU.
According to the regulator, the data transferred by Facebook using standard contractual clauses (SCCs), a legal mechanism, failed to adequately mitigate the risks to the fundamental rights and freedoms of data subjects as highlighted in the court of justice’s ruling. Meta, with its EU headquarters in Ireland, expressed discontent with the DPC’s decision, claiming that it had been unfairly targeted while numerous other businesses employed the same data transfer procedures.
A representative from the European Commission, the executive body of the EU, expressed optimism that a new framework for transatlantic data transfers would be operational and fully functional by the summer. This framework aims to provide the desired stability and legal certainty for US tech companies. Under this new data regime, which has been agreed upon at a political level between Washington and Brussels, Facebook would be able to resume its data transfers. However, the implementation of this framework still requires further agreement and consensus.
The spokesperson emphasized that the EU has collaborated closely with the US to establish safeguards that protect consumer data. They expressed a strong desire to restore legal certainty and ensure the effective implementation of these measures.
According to the Meta blog, Facebook’s service in the EU will not face immediate disruption due to the grace period granted by the DPC. However, Meta’s recent quarterly results indicate that without standard contractual clauses (SCCs) or other alternative methods for data transfers, the company may be unable to provide several of its key products and services, including Facebook and Instagram, in Europe.
Meta disclosed a net income of $23.2 billion based on US profit measurements for the previous year. As of midday trading on Monday, Meta’s shares had increased by 2.2%, resulting in a valuation of over $640 billion for the company.
Eddie Powell, a data protection partner at UK law firm Fladgate, expressed skepticism that an appeal would successfully overturn the entire decision. He highlighted the core issue as the US government’s ability, under US law, to access EU individuals’ personal data held by US corporations on the grounds of national security, without adequate safeguards or checks. Powell also noted that the imposed fine reflected the structure of Meta’s systems, which necessitated the transfer of all data collected on its social media platforms to the US without any protective measures.
Mark Deem, a partner at UK law firm Wiggin, emphasized that the size of the fine would serve as a message to other businesses involved in personal data transfers outside the EU. He stated that one of the purposes behind the significant figure was to caution companies about their handling of international data transfers.
The Information Commissioner’s Office, the data watchdog in the UK, acknowledged the decision and stated that they would review the details in due course.
