Facebook parent company Meta was hit with a record 1.2 billion euro ($1.75 billion Cdn) fine by its lead European Union privacy regulator over its handling of user information and given five months to stop transferring users’ data to the United States.
The fine, imposed by Ireland’s Data Protection Commissioner (DPC), came after Meta continued to transfer data beyond a 2020 EU court ruling that invalidated an EU-U.S. data transfer pact. It tops the previous record EU privacy fine of 746 million euros ($1.09 billion Cdn) handed by Luxembourg to Amazon.com Inc in 2021.
The battle over where Meta’s Facebook stores its data began a decade ago after Austrian privacy campaigner Max Schrems brought a legal challenge over the risk of U.S. snooping in light of disclosures by former U.S. National Security Agency contractor Edward Snowden.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global affairs, and chief legal officer Jennifer Newstead said in a statement.
The social media giant reiterated that it expected a new pact facilitating the safe transfer of EU citizens’ personal data to the United States would be fully implemented before it has to suspend transfers.
That would mean its previous warning that a stoppage could force it to suspend Facebook services in Europe would not come to pass.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos,” Meta said.
The DPC said in March that EU and U.S. officials hoped that the new data protection framework — agreed by Brussels and Washington in March 2022 — may be ready by July.
Europe’s top court, the European Court of Justice, threw out the two previous pacts over concerns about U.S. surveillance.
Schrems, the Austrian privacy campaigner, said Meta’s plans to rely on the new deal for transfers going forward was unlikely to be a permanent fix.
“In my view, the new deal has maybe a 10 per cent chance of not being killed by the CJEU (EU Court of Justice). Unless U.S. surveillance laws gets fixed, Meta will likely have to keep EU data in the EU,” he said in a statement.
The Irish watchdog, which is the lead EU regulator for many of the world’s top technology companies because of the location of their European headquarters in Ireland, has said the suspension order could create a precedent for other firms.
It has now fined Meta a total of 2.5 billion euros ($3.65 billion Cdn) for breaches under the bloc’s General Data Protection Regulation’s (GDPR), introduced in 2018.
The DPC said that it did not initially propose adding a fine to the suspension order, but that four other EU supervising authorities disagreed and the record fine was included after a ruling by the European Data Protection Board (EDPB).
The Irish regulator has fined Meta more than any other tech firm and has 10 other inquiries open into the social media group’s platforms.