Meta has been fined a record 1.2 billion euros ($1.3 billion) by European privacy regulators over the transfer of EU user data to the U.S.
The decision links back to a case brought by Austrian privacy campaigner Max Schrems who argued that the framework for transferring EU citizen data to America did not protect Europeans from U.S. surveillance.
Several mechanisms to legally transfer personal data between the U.S. and the EU have been contested. The latest such iteration, Privacy Shield, was struck down by the European Court of Justice, the EU’s top court, in 2020.
The Irish Data Protection Commission that oversees Meta operations in the EU alleged that the company infringed the bloc’s General Data Protection Regulation when it continued to send the personal data of European citizens to the U.S despite the 2020 European court ruling.
GDPR is the EU’s landmark data protection regulation that governs firms active in the bloc. It came into effect in 2018.
Meta used a mechanism called standard contractual clauses to transfer personal data in and out of the EU. This was not blocked by any court of the EU. The Irish data watchdog said that the clauses were adopted by the European Commission, the EU’s executive arm, in conjunction with other measures implemented by Meta. However, the regulator said these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified” by the European Court of Justice.
Ireland’s Data Protection Commission also told Meta to “suspend any future transfer of personal data to the US within the period of five months” from the decision.
The 1.2 billion euro punishment for Meta is the highest any company has ever been fined for breaching GDPR. The previous largest fine was a 746 million euro charge for e-commerce giant Amazon for violating GDPR in 2021.
Meta plans to appeal
Meta said it would appeal the decision and the fine.
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, chief legal officer at the company, said in a blog post Monday.
The Meta case has put focus back on the EU and Washington’s push to get a new data transfer mechanism. The U.S. and EU last year “in principle” agreed to a new framework for cross-border data transfers. However, the fresh new pact has not yet come into effect.
Meta is hoping that this EU-U.S. data privacy agreement is instated before the Irish regulator’s deadlines come in place.
If the new framework “comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users,” Clegg and Newstead said.