Facebook owner Meta fined record €1.2 billion for EU-US data transfer

Meta has been fined €1.2 billion by the EU and ordered to suspend the transfer of user data to the US, the largest penalty ever imposed on an EU Big Tech company for data breaches.

Ireland’s data protection commission, which oversees the General Data Protection Regulation, fined Meta on Monday, saying Facebook had breached its rules requiring platforms to provide adequate safeguards for data transfers from Europe to the United States.

Instead, the DPC found that the platform’s EU-US data flows relied on contractual clauses that “did not address the risks to users’ fundamental rights and freedoms”, despite a previous ruling by the EU Court of Justice requiring the platform to be better protected. information on individuals from invasive US surveillance programs.

The record EU fine for breach of privacy comes after the Luxembourg regulator fined Amazon €746 million in 2021.

According to the DPC, Facebook’s EU operation also has five months to “suspend future transfers of personal data to the United States” and six months to stop processing, including storing, personal data previously transferred to European citizens. in the United States. in violation of the GDPR.

Nick Clegg, president of global affairs at Meta, said: “We . . . I am disappointed that they have been singled out when using the same legal mechanism as thousands of other companies seeking to provide services in Europe.”

He added: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies that transfer data between the EU and the US.”

The fine comes as $630 billion market cap Meta struggles with a decline in advertising amid a broader economic slowdown that has prompted CEO Mark Zuckerberg to make several rounds of layoffs and promise a “year of efficiency.”

It’s the latest in a string of fines worldwide that the social media giant has been hit with for lax privacy protections, including a $5 billion penalty imposed by the Federal Trade Commission in 2019 over the Cambridge Analytica scandal.

Ireland’s regulator has come under fire from data protection activists and other data watchdogs in the bloc for not being ambitious enough to go after Big Tech companies, either by imposing fines deemed too small or not taking on cases.

Officials in Ireland are likely to point to this fine as the latest evidence of proper enforcement.

Social media platforms have been in a precarious position since a 2020 EU court ruling ruled that companies seeking to comply with the GDPR cannot rely on the previous EU-US privacy shield, as it does not sufficiently protect user data from US surveillance.

Last year, Meta threatened to leave the EU if Ireland’s data protection watchdog banned EU-US data flows, which would severely disrupt its business.

The company is expected to appeal the DPC’s decision, during which time a new transatlantic privacy shield may come into effect. In October 2022, US President Joe Biden signed an executive order detailing the measures the White House will take to comply with the new EU-US data protection framework, which is currently being negotiated.