The European Union issued a $1.3 billion fine to Meta on Monday after finding that Facebook’s parent company broke the bloc’s laws by transferring user data from Europe to the United States.
The Irish Data Protection Commission, which handed down the order Monday, said in a statement that Meta’s data transfers were in breach of the E.U.’s General Data Protection Regulation (GDPR), a sweeping set of laws that restrict what companies can do with people’s personal data. Meta’s European headquarters are in Dublin.
The body also ordered Meta to suspend all transfers of personal data belonging to users in the E.U. and the European Economic Area — which includes non-E.U. countries Iceland, Liechtenstein and Norway — to the United States. Monday’s decision applies only to Facebook and not other Meta-owned platforms such as Instagram and WhatsApp, it said.
It is the largest GDPR fine the bloc has ever handed down, surpassing the previous record of $887 million against Amazon, a penalty issued in 2021 by a European privacy regulator that the firm said it would appeal.
E.U. regulator hits Amazon with record $887 million fine for data protection violations
Under the terms of the ruling, Meta will have five months to put in place measures to halt all future transfers of personal data to the United States and six months to stop “the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR.”
The company said it plans to appeal.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement about the fine.
They said there would be “no immediate disruption to Facebook in Europe.”
Facebook paid GOP firm to malign TikTok
The move from the Irish Data Protection Commission is the latest development in a longstanding political and legal struggle to reconcile American laws on consumer data with European laws, which are more protective of online privacy and security.
The Data Protection Commission began this inquiry into Meta’s data-sharing practices in August 2020. The body determined earlier this month that Meta ran afoul of Article 46(1) of the GDPR — which allows tech companies under certain conditions to transfer personal data from the E.U. “to a third country or an international organisation” only if they provide “appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
The commission ruled that Meta violated the article “when it continued to transfer personal data from the EU/EEA to the USA” after a 2020 ruling by the Court of Justice of the European Union invalidated an agreement between E.U. and U.S. regulators called “Privacy Shield.”