Meta hit with record €1.2 billion fine for transferring European Facebook user data to the US
Facebook owner Meta has been fined a record €1.2 billion (around $1.3 billion) by Ireland's Data Protection Commission (DPC). The fine was issued for breaching EU data sharing regulations by failing to sufficiently protect user data.
In addition to the record fine, Meta has been ordered to cease the transfer of user data from the EU to the US for processing within six months. Responding to the demand to stop the "unlawful processing, including storage, in the US" of European user data, Meta points out that it "uses the same legal mechanisms as other organizations" and indicated that it intends to appeal against the ruling.
- Microsoft is working on Windows 11 23H2... but this Moment 4 update will be nothing to get excited about
- Microsoft reminds Windows 10 21H2 users about imminent end of service... and forced upgrades
- Microsoft acknowledges Start menu, Windows search and UWP app issues... but says Windows updates are not to blame
The European Union's General Data Protection Regulation (GDPR) requires strong protection of user data. But the DPC said that Facebook's approach to data transfer "did not address the risks to the fundamental rights and freedoms of data subjects". The findings, fine and ruling apply only to Facebook, and not other Meta-owned platforms such as Instagram and WhatsApp.
The fine comes after an inquiry lasting over two-and-a-half years, and the DPC's report says:
The DPC adopted its final decision in this inquiry on 12 May 2023. The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses ("SCCs") that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
In a blog post written by Nick Clegg, President of Global Affairs, and Jennifer Newstead, Chief Legal Officer, Meta says that it will "appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts".
The pair continue:
Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board (EDPB). We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.
Meta questions the process that led to the fine and order, saying:
The DPC initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate. However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying issue. This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.
It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.