Meta has been fined 1.2 billion euros ($1.3 billion) by an Irish regulator for violating data transfer rules—the largest fine imposed under European Union’s privacy laws.
The fine was imposed by Ireland’s Data Protection Commission (DPC) after Meta was found to have violated the EU’s GDPR data protection laws by continuing to transfer personal data from the EU/European Economic Area (EEA) to the United States despite an EU court ruling from 2020 having invalidated a data transfer pact between the two regions. The $1.3 billion fine is the largest GDPR fine ever imposed and beats the 746 million euro fine imposed on Amazon.com in 2021 by Luxembourg.
The European Data Protection Board (EDPB) found that Meta’s infringement “is very serious since it concerns transfers that are systematic, repetitive, and continuous,” said EDPB Chair Andrea Jelinek, according to a May 22 news release.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
Meta Ireland will now have to suspend any future transfer of personal data to the United States five months from being notified of the DPC decision. The company will also have to cease the “unlawful processing, including storage” of EU/EEA personal user data in the United States within six months of notification.
In a May 22 statement, Meta called the fine “unjustified and unnecessary.” It intends to appeal the ruling and seek a stay on the orders through the courts.
The company insisted that thousands of businesses and other entities rely on data transfers between the United States and the European Union to operate and provide services.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
In a press release, the DPC said that Meta had violated “Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.”
In the case judged by CJEU (Court of Justice of the European Union), Austrian privacy campaigner Max Schrems had raised the possible risk of U.S. authorities snooping in on the personal data of EU citizens in the wake of disclosures made by former U.S. National Security Agency contractor Edward Snowden.
Officials from the United States and European Union are preparing a new data protection framework that was agreed upon by the two sides in March 2022. The DPC had earlier said that the new framework may be ready by July this year.
Since the introduction of GDPR rules in 2018, the Irish DPC has fined Meta a total of 2.5 billion euros for various violations. Meta has been fined the most by DPC. The regulator also has 10 more open inquiries into the company.
According to the DPC’s Annual Report for 2022 (pdf), it conducted 17 large-scale inquiries last year, of which five were related to Meta and its brands Facebook and Instagram. In total, the agency fined Meta over 1 billion euros last year.
One of the Meta cases on which the DPC issued a judgment last year was about the company allowing children between the ages of 13 and 17 to operate “business accounts” on Instagram.
“At certain times, the operation of such accounts required and/or facilitated the publication (to the world-at-large) of the child user’s phone number and/or email address,” the report said.
In some circumstances, Meta also set children’s accounts “public” by default, thereby making their social media content available to everyone. Meta was fined 405 million euros by the DPC in this case.