Facebook owner Meta Platforms has been hit with a record fine of 1.2 billion euros ($1.3 billion) for transferring European Union user data to the United States, failing to comply with a warning by a top EU court, regulators announced Monday.
The Irish Data Protection Commission (DPC), which acts on behalf of the EU, said the European Data Protection Board (EDPB) had ordered it to collect "an administrative fine in the amount of 1.2 billion euros."
The DPC has been investigating Meta Ireland's transfer of personal data from the EU to the U.S. since 2020.
It found that Meta, which has its European headquarters in Dublin, failed to "address the risks to the fundamental rights and freedoms of data subjects" identified in a previous ruling by the Court of Justice of the European Union (CJEU).
The CJEU interprets EU law to ensure it is applied in the same way in all member states.
In response, Meta said it was "disappointed to have been singled out," and the ruling was "flawed, unjustified and sets a dangerous precedent for the countless other companies."
"We intend to appeal both the decision's substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines," Meta head of global affairs Nick Clegg and Chief Legal Officer Jennifer Newstead said in a blog post.
"There is no immediate disruption to Facebook in Europe," they added.
Meta said it hopes to see the U.S. and EU adopt a new legal framework for the use of personal data in the coming months, following an agreement in principle last year, which could allow it to continue its data transfer practices.
Fourth fine
EU regulators have hit Meta with four fines in six months – and three this year – over data breaches by its Instagram, WhatsApp and Facebook services.
In January, the DPC fined the social media giant 390 million euros for breaking data rules in using targeted advertising on its apps.
In March, Meta was made to pay 5.5 million euros for breaching the EU's General Data Protection Regulation (GDPR) with its WhatsApp messaging service.
Online trader Amazon was fined 746 million euros in Luxembourg in 2021 for infringing the GDPR.
In the latest case, the DPC had initially wanted to force Meta to suspend the offending data transfers, saying that a fine "would exceed the extent of powers that could be described as being 'appropriate, proportionate and necessary.'"
But its peer regulators in the EU, known as Concerned Supervisory Authorities (CSAs), disagreed and said it should be "subject to an administrative fine," the DPC said.
With no hope of consensus, the Irish body referred the objections to the EDPB, which ruled that Meta Ireland must suspend the future transfer of personal data to the U.S. and pay a fine.
'Strong signal'
Clegg and Newstead said the EDPB decision to overrule the DPC "raises serious questions."
"No country has done more than the U.S. to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China," they claimed.
But EDPB Chair Andrea Jelinek characterized Meta's infringement as "very serious" and called its data transfers "systematic, repetitive and continuous."
"The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences," she added.
Privacy activist Max Schrems, who set off a decade of legal battles with his challenge against Meta over the movement of EU data to the U.S., welcomed the decision.
"Ever since Edward Snowden's revelations on U.S. big tech aiding the (National Security Agency) mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland," said his organization, the European Centre for Digital Rights.
But Schrems said far harsher sanctions could have been used as Meta had "knowingly broken the law to make a profit."
"It took us 10 years of litigation against the Irish DPC to get to this result... and risked millions of procedural costs," he noted.
"The Irish regulator has done everything to avoid this decision," he added.