Meta fined more than €1 billion for GDPR breach

Penalty sets a new record

Irish data watchdog to fine Meta more than £648m over data transfer to US, report

Image:
Irish data watchdog to fine Meta more than £648m over data transfer to US, report

Meta Platforms, the owner of Facebook, has been fined €1.2 billion over the transfer of EU users' data to servers located in the United States.

The fine, from European regulators led by the Irish Data Protection Commission (DPC), punish Meta for disregarding a previous warning from a top European court.

That warning was intended to safeguard users' data from being accessed by US intelligence agencies by stopping Meta from transferring user data outside the EU.

Exceeding €1 billion, the fine sets a new record for financial penalties imposed under the GDPR. The previous record, set in 2021, saw Luxembourg's regulator fine Amazon €746 million.

The ruling revolves around Meta's use of complex legal instruments known as standard contractual clauses (SCCs) for transferring EU data to the US.

Transatlantic data transfers like these could potentially subject Europeans to less stringent US privacy laws.

The DPC has ordered Meta to "suspend" its use of SCCs to transfer EU citizens' data, and to stop storing such data in the USA.

However, only Facebook data is affected, not that from Meta's other properties like WhatsApp or Instagram.

Nick Clegg, Meta's global affairs president, called the decision "flawed" and "unjustified." He also said it "sets a dangerous precedent for the countless other companies transferring data between the EU and US."

Meta threatens EU exit - again

Meta warned last year that a ban on its data transfer mechanism might force it to suspend Facebook services in Europe.

In 2020, Meta's policy chief, Nick Clegg, expressed concerns about the potential consequences of suspending data transfers based on SCCs, which Facebook and other entities use.

Clegg said a suspension could have a significant impact on businesses relying on SCCs, as well as their customers.

However, it is unlikely that the DPC's data transfer ban will take effect immediately.

Meta is expected to be granted a grace period to adhere to the decision, which could delay any suspension until the autumn. Additionally, the company is likely to lodge an appeal.

"This case relates to a historic conflict of EU and US law, which is in the process of being resolved via the new EU-US Data Privacy Framework," a Meta spokesperson told The Guardian before the DPC finalised the penalty.

"We welcome the progress that policymakers have made towards ensuring the continued transfer of data across borders and await the regulator's final decision on this matter."

Fine is "least important part" of ruling

Edward Machin, a senior lawyer in Ropes & Gray's data, privacy & cybersecurity practice, called the ruling "a rare case of the first billion euro fine under the GDPR being the least important part of the story."

More important, he said, was the DPC's ruling that the standard contractual clauses are not a valid mechanism to transfer personal data to the US.

"[That] will have a significant impact on the ability of organisations of all shapes and sizes to lawfully share and receive data from Europe. It will also kick off a race against time for lawmakers to finalise the EU-US data transfer framework before the end of the six-month transition period that the DPC has given Meta to bring its transfers into compliance."

"This saga has been rumbling on for more than a decade and we are still no closer to a lasting solution. Even if the data transfer framework is agreed it will almost certainly be challenged before the European Court of Justice, just like its predecessors, and there is a reasonably good chance that it will also be invalidated.

"In the meantime, businesses on both sides of the pond are stuck in a groundhog day that will continue to cost significant time and money while not giving the legal certainty that surely isn't too much to ask for at this point."

Meta fines break €2 billion

The Irish DPC had already fined Meta over €1 billion since September 2021.

In November last year, the regulator fined the company €265 million ($277 million) for failing to prevent hackers from stealing the personal information of around 533 million Facebook users, in a 2019 data breach.

In September, the watchdog fined Meta's Instagram subsidiary a record-breaking €405 million for violating the GDPR and failing to protect children's data.

Earlier this year, Meta received a fine of €390m (£338m) from the Irish DPC for compelling users to consent to personalised advertisements, which violated EU privacy regulations - and a further €5.5 million for GDPR violations in WhatsApp.

In addition to the monetary penalty, Meta was prohibited from requiring users to opt-in to advertising practices.

Because Apple, Google, and other tech giants have chosen to locate their EU headquarters in Ireland, the DPC is the regulatory body that oversees them. The regulator currently has more than three dozen investigations open into such companies.