The European Union has imposed a staggering €1.2 billion ($1.3 billion) penalty on Meta, formerly Facebook, for infringing on European data privacy regulations. The European Data Protection Board issued the fine following an investigation by the Irish Data Protection Commission, which oversees Meta’s operations in Europe.
The EU regulator declared that Meta’s handling and storage of personal data in the United States violated the General Data Protection Regulation (GDPR), the EU’s crucial data privacy law. Specifically, Chapter 5 of the GDPR delineates the conditions under which personal data can be transmitted to third countries or international organizations. This development underscores the ambiguity surrounding the lawful transfer of EU users’ data to foreign servers.
Notably, this fine constitutes the largest ever imposed under the GDPR, surpassing the previous record of €746 million ($805.7 million) set on Amazon in 2021. Additionally, Meta has been instructed to discontinue processing the personal data of European users within the United States within a six-month timeframe.
According to Andrea Jelinek, Chair of the European Data Protection Board, Meta’s violation is deemed “extremely grave” as it involves systematic, repetitive, and ongoing data transfers. She added, “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine strongly signals organizations that serious infringements have far-reaching consequences.”
Meta Plans to Challenge Ruling and Ensures Continuity of Operations in Europe
Meta, the parent company of WhatsApp and Instagram, has announced its intention to challenge the ruling and the accompanying fine. The company assures there will be no immediate disruption to Facebook’s operations in Europe.
Meta attributes the core issue to a “conflict of laws” between US regulations governing data access and the privacy rights of European individuals. They emphasize that EU and US policymakers are actively working towards resolving this conflict by establishing a new transatlantic Data Privacy Framework.
This framework addresses the uncertainty businesses had faced since 2020 when the European Court of Justice invalidated the Privacy Shield, a legal mechanism designed to address EU concerns regarding potential US government surveillance of European citizens. Negotiations between the United States and the EU have been ongoing to establish a successor agreement since last year. As per legal experts ‘ analysis, the absence of a Privacy Shield replacement poses a significant threat to numerous businesses that rely on the ability to transfer EU user data to other jurisdictions.
Meta’s Response to the Ruling: Strong Criticism and Concerns over Precedent
In a joint statement, Meta’s President of Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead, expressed their disappointment with the European Data Protection Board’s decision, highlighting that it overlooked the significant strides policymakers have made to address the underlying issue.
Further, they added, “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US. The ability for data to be transferred across borders is fundamental to how the global open internet works. Thousands of businesses and other organizations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day.”
Before the recent ruling, the Data Protection Commission of Ireland had issued nearly $1 billion in fines to Meta for alleged GDPR violations since the autumn of 2021. However, in this case, the commission did not support imposing a penalty on Meta, deeming it disproportionate to address the infringement.
In their statement on Monday, the regulator emphasized that they were obligated to base their final decision on the ruling of the European Data Protection Board. This puts Ireland in a delicate position as it navigates between maintaining a favorable environment for top US tech companies and aligning with the European Union’s stringent approach to tech regulation.