Meta, the parent company of Facebook, WhatsApp, and Instagram, has been slapped with a staggering fine of €1.2 billion (approximately $1.3 billion) by Ireland’s Data Protection Commission (DPC) for mishandling users’ data during its transfers between Europe and the United States. This unprecedented penalty represents the largest ever issued under the European Union’s General Data Protection Regulation (GDPR).
In response to the ruling, Meta swiftly announced its intention to appeal the fine, denouncing it as “unjustified and unnecessary” and warning that it sets a “dangerous precedent.” The company argues that it adhered to the same data transfer mechanisms used by numerous other businesses operating in Europe.
The fine was imposed due to Meta’s practice of transferring data belonging to European users to the United States for processing, despite a 2020 verdict by the highest court in the EU. The court ruled that the data was inadequately protected from surveillance by US intelligence agencies.
The DPC has ordered Facebook, specifically, to immediately cease this data transfer practice. Furthermore, the company has been given a minimum of five months to suspend any future transfers and an additional six months to halt the unlawful processing and storage of data within the US. It is worth noting that this decision does not apply to Instagram and WhatsApp, and it does not impact Facebook’s operations in the United Kingdom.
The DPC’s investigation found that Meta violated the GDPR by persisting in transferring EU user data to the US, despite the European Court of Justice’s explicit requirement for robust protection of such information. According to the regulator, Facebook’s use of standard contractual clauses, a legal instrument for data transfers, failed to address the risks to individuals’ fundamental rights and freedoms, as highlighted in the court’s judgment.
Meta, in a joint blog post by Nick Clegg, the President of Global Affairs, and Jennifer Newstead, the Chief Legal Officer, expressed disappointment at being “singled out” by the DPC, emphasizing that numerous other companies employ the same data transfer mechanisms to offer services in Europe.