Meta’s Facebook fined a record €1.2 billion for mishandling data transfers in the EU

• The Irish regulator said Facebook had violated its rules.
• Record EU fine over privacy violations.
• Facebook’s EU operation has five months.

The General Data Protection Regulation (GDPR) is undoubtedly the strictest privacy and security law in the world, and Facebook is facing one of the most significant penalties since the European Union (EU) enacted the landmark law five years ago. Ireland’s Data Protection Commission (DPC), which oversees the GDPR, announced that it had slapped Meta, the social media giant’s parent company, with a €1.2 billion fine.

In a statement, the DPC said Facebook had violated its rules requiring platforms to ensure data transfers from the EU to the US have appropriate safeguards in place. The Irish watchdog levied the fine on behalf of European regulators, saying the European Data Protection Board had ordered it to collect “an administrative fine for 1.2 billion euros”.

The fine also came four months after the Irish DPC handed down its first fine of €390 million against Meta due to unlawful personalized advertising on Facebook and Instagram. The Irish regulator has imposed four fines against Meta’s platforms, Facebook, Instagram, and WhatsApp, ranging between €405 million and €225 million in the past two years.

This time around, the DPC found that the EU-US data flows by Facebook had relied on contractual clauses that “did not address the risks to the fundamental rights and freedoms” of users, despite an earlier judgment from the EU’s Court of Justice mandating that it better protect individuals’ information from invasive US surveillance programs.  

What now for Facebook in the EU?

According to the Irish watchdog, Facebook’s EU operation has five months to “suspend any future transfer of personal data to the US” and six months to cease the processing — including storage — of any European citizens’ personal information in the US that was previously transferred in violation of GDPR.  

Meta has said it would appeal the decision and that there would be no immediate disruption to Facebook’s European Union service. The social media giant, however, said it was “disappointed to have been singled out” and the ruling was “flawed, unjustified and set a dangerous precedent for the countless other companies.” 

Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, the chief legal officer, said in a statement: “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”

Meta threatened to pull out of the EU if Ireland’s data protection watchdog banned EU-US data flows, which would be severely disruptive to its business. The ruling announced on May 22 by the Irish DPC applies only to Facebook and not Instagram and WhatsApp, which Meta also owns.

Meta and other companies are generally counting on a new data agreement between the US and the EU. Last year, President Biden and Ursula von der Leyen, the president of the EU, announced the outlines of a deal in Brussels, but the details are still being negotiated. President Biden has even signed an executive order detailing the measures the White House will take to adhere to the new EU-US data privacy framework.

Meanwhile, the Sean Heather, senior vice president for International Regulatory Affairs and Antitrust at the US Chamber of Commerce commented in a statement that the announcement by Ireland’s DPC regarding Facebook’s data transfers to the United States stems from hypothetical concerns about government access to data identified by the European Court of Justice almost three years ago.

“The European Data Protection Board’s decision to fine Meta, which the IDPC found had acted in good faith, creates a dangerous precedent for any company transferring data to the US. Most importantly, the U.S. and EU have since reached an agreement to satisfy the Court’s concerns. Once implemented, the EU-U.S. Data Privacy Framework should supplant today’s decision by the IDPC. This issue goes far beyond Meta; the time has come for the United States and the European Union to operationalize this agreement quickly, returning certainty to data flows that underpin transatlantic economic ties, society, and our international cooperation,” the statement said.

Before the latest fine imposed on Meta for its data dealings via Facebook, Amazon held the top spot with a record €746 million EU fine over privacy violations in 2021.

---

---

---

---