European privacy regulators have imposed a record €1.2 billion ($1.3 billion) fine on Meta for the transfer of European Union user data to the United States. The decision stems from a case initiated by Austrian privacy activist Max Schrems, who argued that the framework for transferring EU citizen data to the U.S. failed to protect Europeans from American surveillance.
Legal mechanisms for transferring personal data between the U.S. and the EU have been challenged in the past. In 2020, the European Court of Justice (ECJ), the EU’s highest court, struck down the latest iteration known as Privacy Shield.
The Irish Data Protection Commission, which oversees Meta’s operations in the EU, alleges that the company violated the bloc’s General Data Protection Regulation (GDPR) by continuing to send European citizens’ personal data to the U.S. despite the 2020 ECJ ruling. The EU’s landmark data protection regulation, governing firms operating in the bloc, took effect in 2018.
Meta relied on standard contractual clauses to transfer personal data in and out of the EU, a mechanism not blocked by any EU court. The Irish watchdog acknowledged that these clauses were adopted by the European Commission, the EU’s executive arm, along with other measures implemented by Meta. However, the regulator argued that these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified” by the ECJ.
The Data Protection Commission has also instructed Meta to “suspend any future transfer of personal data to the US within the period of five months” from the decision.
The €1.2 billion penalty for Meta is the largest ever imposed for a GDPR violation. The previous record was a €746 million fine levied on e-commerce giant Amazon in 2021.
Meta has announced its intention to appeal the decision and the fine. “We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” said Meta President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead in a blog post on Monday.
The Meta case has refocused attention on the efforts of the EU and Washington to establish a new data transfer mechanism. The U.S. and EU “in principle” agreed to a new framework for cross-border data transfers last year, but the new pact has not yet taken effect. Meta is hoping the EU-U.S. data privacy agreement will be implemented before the Irish regulator’s deadlines.
If the new framework “comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users,” Clegg and Newstead stated.
