Meta hit with record $1.3 billion fine over personal data transfer
Facebook owner Meta has been fined a record €1.2 billion ($1.3 billion) for transferring EU user data to the US in breach of a court ruling.
Irish regulator the Data Protection Commission, which acts on behalf of the EU, said the European Data Protection Board had ordered it to collect “an administrative fine in the amount of €1.2 billion”.
The DPC has been investigating Meta Ireland’s transfer of personal data from the EU to the US since 2020.
It found that Meta, which has its European headquarters in Dublin, failed to “address the risks to the fundamental rights and freedoms of data subjects” that were identified in a ruling by the Court of Justice of the EU.
Meta said it would appeal against the “unjustified and unnecessary” penalty.
The decision is another twist in a legal battle that began in 2013, when Austrian lawyer and privacy campaigner Max Schrems filed a complaint about Facebook’s handling of his data.
This followed former National Security Agency contractor Edward Snowden’s revelations of electronic surveillance by US security agencies.
That included the disclosure that Facebook gave the agencies access to the personal data of Europeans.
An agreement covering EUUS data transfers known as the Privacy Shield was struck down in 2020 by the EU’s highest court, which said it did not do enough to protect European residents.
Yesterday’s decision confirmed that another tool to govern data transfers – stock legal contracts – was also invalid.
In December, EU regulators unveiled proposals to replace the Privacy Shield pact invalidated by the Court of Justice.
Yesterday, it was decided that Meta’s data transfers to the US did not address “the risks to the fundamental rights and freedoms” of people whose data was being transferred across the Atlantic.
Meta was also given a deadline to stop shifting users’ data to the US after regulators said it had failed to protect personal information from American security services.
The DPC gave the company five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of personal data transferred from the EU.