Meta has been hit with a record €1.2 billion ($1.3 billion) fine by European privacy regulators for the transfer of user data from the European Union to the US.
The decision relates to a case brought by Austrian privacy advocate Max Schrems, who argued that the framework for transferring data from EU citizens to the US did not protect Europeans from US surveillance.
Various mechanisms for legally transferring personal data between the US and the EU have been questioned. The last such iteration, Privacy Shield, was struck down by the Court of Justice of the European Union, the EU’s supreme court, in 2020.
The Irish Data Protection Commission running Meta’s overseas operations in the EU alleged that the company breached the bloc’s General Data Protection Regulation (GDPR) when it continued to send personal data of European citizens to the US. despite the 2020 European court ruling.
GDPR is the EU’s historical data protection regulation that governs companies active in the block. It entered into force in 2018.
Meta used a mechanism called standard contractual clauses to transfer personal data in and out of the EU. This was not blocked by any EU court. The Irish data watchdog said the clauses were adopted by the European Commission, the executive arm of the EU, along with other measures put in place by Meta. However, the regulator said that these arrangements «did not address the risks to the fundamental rights and freedoms of data subjects that were identified» by the Court of Justice of the European Union.
The Irish Data Protection Commission also told Meta to «suspend any future transfer of personal data to the US within five months» of the decision.
The penalty of 1.2 billion euros for Meta is the highest fine a company has ever received for breaching the GDPR. The previous largest fine was a €746 million charge for e-commerce giant Amazon for violating the GDPR in 2021.
Meta said he would appeal the decision and the fine.
“We are appealing these decisions and will immediately seek a stay in the courts, who can pause implementation timelines, given the harm these orders would cause, including to the millions of people who use Facebook every day,” said Nick Clegg, president of Goal. global affairs, and Jennifer Newstead, the company’s chief legal officer, in a blog post Monday.
The Meta case has refocused attention on the push by the EU and Washington to agree on a new data transfer mechanism. Last year, the US and the EU agreed “in principle” on a new framework for cross-border data transfers. However, the new pact has not yet entered into force.
Meta hopes that this EU-US data privacy agreement. The US is established before the deadlines of the Irish regulator are met.
If the new framework «goes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact to users,» Clegg and Newstead said.