Meta Slapped with €1.2bn Fine and Data Transfer Suspension by EU Regulator

In a landmark decision, Meta, the parent company of Facebook, has been hit with a record-breaking €1.2bn fine by the European Union (EU) for privacy violations. The fine, issued by Ireland’s Data Protection Commission (DPC), the regulator responsible for upholding EU data protection law, also comes with an order to suspend transfers of user data to the United States. This penalty marks the largest-ever imposed by the EU on privacy breaches.

The DPC found that Meta had violated regulations requiring appropriate safeguards for the transfer of personal data from the EU to the US. Despite the transfers being based on contractual clauses endorsed by the European Commission, the changes made by Meta Ireland following a 2020 ruling by the European Court of Justice were deemed insufficient to address the risks to fundamental rights and freedoms associated with such transfers.

Previously, the highest fine imposed on a Big Tech company for privacy violations in the EU amounted to €746mn, which was levied on Amazon by the Luxembourg regulator in 2021. This latest decision reflects the growing pressure within Europe for stricter rules regarding data transfers to the US, as concerns persist over the exposure of individuals’ information to surveillance programs.

In response to the fine, Nick Clegg, Meta’s president of global affairs, expressed disappointment and criticized the decision, claiming that Meta had used the same legal mechanism as thousands of other companies operating in Europe. He described the decision as flawed, unjustified, and setting a dangerous precedent for other companies engaged in data transfers between the EU and the US.

As a result of the ruling, the DPC has given Facebook’s EU operation a five-month deadline to suspend any future transfer of personal data to the US. Additionally, there is a six-month timeframe for the group to cease the processing and storage of any European citizen’s personal information previously transferred to the US in violation of the EU’s General Data Protection Regulation (GDPR).

Meta is expected to appeal the decision, and during the appeal process, a new transatlantic privacy shield might be established. In October 2022, US President Joe Biden signed an executive order outlining measures the White House will take to adhere to a new EU-US data privacy framework that is currently being negotiated.

The penalty imposed on Meta adds to a series of fines the social media giant has faced globally due to lax privacy protections. In 2019, the company was fined $5bn by the Federal Trade Commission in response to the Cambridge Analytica scandal. Alongside this latest development, Meta is contending with an advertising slump and an overall economic slowdown, which has led CEO Mark Zuckerberg to implement lay-offs and promise increased efficiency.

Since a 2020 EU court ruling, social media platforms’ data transfers to the US have been uncertain. The ruling invalidated the previous EU-US privacy shield, deeming it insufficient in safeguarding user data from US surveillance. Privacy activist Max Schrems, known for challenging Big Tech companies in European courts, suggested that Meta may need to undertake significant restructuring of its systems unless US surveillance laws are rectified.

Ireland’s data protection regulator has faced criticism from privacy activists and other data watchdogs in the EU, who believe that the fines imposed on Big Tech companies have been too small or that certain cases have not been pursued with sufficient determination.