The European privacy regulator has handed a record-breaking €1.2 billion fine to Meta, formerly Facebook.
The fine for the mishandling of user information was imposed by Ireland’s Data Protection Commissioner, which was enforcing EU privacy laws. Meta was also given five months to halt the transfer of user data to the United States.
The fine surpasses the previous highest privacy fine in the EU, which was a €746 million penalty imposed on Amazon.com in 2021.
The decision states that Meta Ireland infringed the EU’s privacy laws when it continued to transfer personal data from the EU to the US despite a judgment by the EU’s Court of Justice.
The dispute over the location of Facebook’s data storage has been ongoing for a decade. Court proceedings were initiated by Max Schrems, a well-known Austrian lawyer and privacy activist who raised concerns about US surveillance following disclosures by former US National Security Agency contractor Edward Snowden.
“Intelligence agencies in the US can get data from people who have done nothing wrong. We know of Snowden’s revelations of surveillance programs that have been in use for 10 years. Now there are certainly many more, of which we know nothing, being used in the US,” Schrems said a few years ago in an interview.
Now Schrems said he is happy with the record-breaking penalty, but thinks it should have been even higher “because the maximum fine is over 4 billion and Meta knowingly breached the General Data Protection Regulation for 10 years to make a profit.”
Proceeds from the fine will go to the Irish state, which is unfair according to Schrems. “We have been suing the Irish Data Protection Authority for 10 years to reach this conclusion. We had to file three proceedings … and risked millions in legal fees. The Irish Data Protection Commission did everything it could to avoid this decision but was repeatedly reprimanded by European courts and institutions. It is a bit absurd that the record fine should go to Ireland – the EU member state that did everything possible to ensure that this penalty was not imposed.”
Apart from the record fine, the tech company is also required to cease transferring European personal data to servers in the United States within five months and relocate the data stored overseas to Europe.
Last year, Meta threatened to leave Europe in the event that this scenario unfolded, but the company assured that this will not happen immediately. Meta stated its intention to appeal.
In a response, written by Nick Clegg, president of global affairs, and Jennifer Newstead, chief legal officer, Meta said it was “disappointed to have been singled out” and the ruling was “flawed, unjustified and sets a dangerous precedent for countless other companies”. Meta claims they are at a disadvantage because other American companies are still allowed to transfer data to the US.
They claim “no country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.”
Schrems says the solution has to be addressed by the US, where there should be privacy guarantees for all in the law. Such guarantees currently only exist for US citizens. Schrems, who has helped set up a data protection association, had already successfully taken two legal actions in the Court of Justice against the transfer of his personal Facebook data to the US.
In October 2015, the EU Court annulled the Safe Harbor agreement because of mass surveillance by US intelligence agencies, which until then had regulated the exchange of data between Europeans and the US. As a result, the European Commission adopted a new data-sharing agreement – the “Privacy Shield” – with the US in 2016, which was also overturned.
EU regulators have already hit Meta with fines of hundreds of millions of euros over data breaches by its Instagram, WhatsApp and Facebook services.
It is the third fine imposed on Meta so far this year in the EU, and the fourth in six months.
Following the EDPB’s binding dispute resolution decision, Meta Platforms Ireland Limited was issued a 1.2 billion euro fine as a result of an inquiry into its Facebook service by the Irish DPA – the largest GDPR fine to date! Read all about it here: https://t.co/ti4iFMm73M pic.twitter.com/iJnKZNMp1x
— EDPB (@EU_EDPB) May 22, 2023
