Meta, the parent company of Facebook, has incurred a hefty fine of €1.2 billion ($1.3 billion) from the European Union (EU) for violating the General Data Protection Regulation (GDPR). This unprecedented penalty is a consequence of Meta’s failure to adequately safeguard the personal data of European users from surveillance activities carried out by American security services.
Breaking GDPR Records: Exporting European Data to the US
The Irish Data Protection Commission, responsible for the decision, stated that Meta’s data transfers to the United States did not sufficiently address the risks to individuals’ fundamental rights and freedoms. The company relied on standard contractual clauses (SCCs) to transfer data to the US, but these measures were deemed inadequate following a ruling by the EU’s highest court.
Alongside the record-breaking fine, Meta has been given a five-month deadline to cease any future transfer of personal data to the US, and a six-month deadline to halt the unlawful processing and storage of transferred personal data from the EU in the US.
This decision is part of an ongoing dispute that has created legal uncertainty for Facebook and other companies. In 2020, the EU’s highest court invalidated an EU-US agreement governing data transfers due to concerns about data protection in the US. Subsequently, the Irish authority ordered Facebook to discontinue transferring data to the US using alternative mechanisms, such as contractual clauses.
Efforts have been made to establish a new EU-US data flows agreement, with a proposed replacement for the defunct “Privacy Shield” agreement introduced in December 2022. The fine imposed on Meta coincides with the fifth anniversary of the GDPR, which is regarded as the global standard for privacy protection.
Meta intends to challenge the decision and the fine, highlighting the potential harm to the millions of people who rely on Facebook’s services daily. The company warns that if forced to cease using contractual clauses without a suitable alternative, it may have no choice but to suspend operations of platforms like Facebook and Instagram in Europe.
Under the GDPR, EU regulators possess the authority to impose fines of up to 4% of a company’s annual revenue for severe violations. The Irish Data Protection Commission has emerged as the leading privacy regulator for major tech companies with a presence in the EU, including Meta and Apple.
