Meta Fined Record £1bn Over Facebook Data Transfers

facebook, libra, social network, mark zuckerberg, meta

Ireland data office fines Facebook parent Meta £1bn over continued transfers of user data to US, presenting risk to ‘fundamental rights’

Facebook owner Meta has been fined a record 1.2 billion euros ($1.3bn, £1bn) and has been ordered to stop transferring Facebook user data to the US.

Ireland’s Data Protection Commission (DPC), the chief data regulator of Meta across the EU, said Meta had not done enough to protect the data when it was transferred overseas and had violated GDPR privacy rules.

The fine is greater than the EU’s previous biggest GDPR penalty of 746m euros given to Amazon.com in 2021.

Meta has been given five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of transferred personal EU data.

ai artificial intelligence data network pexels facebook, meta, user data
Image credit: Pexels

Data protection

The ruling doesn’t affect the data transfers of Meta’s other main platforms, Instagram and WhatsApp.

The penalty relates to a legal challenge originating from the disclosures of Edward Snowden, which showed Europeans’ data was not sufficiently protected from US intelligence agencies when processed in the country.

As a result in 2020 the European Court of Justice struck down a previous agreement called Privacy Shield that had allowed data transfers.

The DPC said Facebook data transfers under a different measure called standard contractual clauses “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [Court of Justice] in its judgment”.

‘Singled out’

Meta in February threatened to withdraw entirely from Europe if data transfers were barred, but the transition phase may allow the transfers to continue under an upcoming agreement.

EU regulators in December unveiled a proposal to replace Privacy Shield and this could be in operation by the deadline specified by the Ireland DPC.

Meta said it had been “singled out” by the DPC and that thousands of other businesses transfer data using contractual clauses.

“We are … disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” wrote Meta president of global affairs Nick Clegg and chief legal officer Jennifer Newstead in a Monday blog post.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” they wrote.