Meta, the parent company of Facebook, has been hit with a massive 1.2 billion euro ($1.3 billion) fine by the Data Protection Commissioner (DPC) of Ireland, the lead European Union privacy regulator. The fine is a result of Meta’s mishandling of user information and its continued transfer of data to the United States, despite a 2020 EU court ruling that invalidated an EU-U.S. data transfer pact. This record-breaking fine surpasses the previous highest EU privacy fine of 746 million euros imposed on Amazon.com Inc by Luxembourg in 2021.
The dispute over data storage practices by Meta’s Facebook has been ongoing for a decade, originating from concerns raised by Austrian privacy campaigner Max Schrems about the risk of U.S. surveillance following revelations by Edward Snowden, a former U.S. National Security Agency contractor. Meta has stated its intention to appeal the ruling, condemning the “unjustified and unnecessary fine” and asserting that it sets a dangerous precedent for other companies. The company also plans to seek a stay of the suspension orders through legal avenues.
Meta remains hopeful that a new data transfer agreement facilitating the safe transfer of EU citizens’ personal data to the United States will be fully implemented before the suspension of transfers becomes necessary. The company has warned that without cross-border data transfers, the internet risks being fragmented into national and regional silos. The DPC stated in March that EU and U.S. officials aimed to finalize a new data protection framework by July, which would address the concerns raised by the European Court of Justice over previous data transfer pacts.
Max Schrems, the privacy campaigner, expressed doubts about the viability of relying on the new agreement for long-term data transfers. He believes that unless U.S. surveillance laws are addressed, Meta will likely have to store EU data within the EU to comply with EU court rulings. The Irish DPC, as the lead EU regulator for major technology companies with European headquarters in Ireland, has now fined Meta a total of 2.5 billion euros for GDPR breaches. The suspension order and the hefty fine could have significant implications for other companies, as it sets a precedent for similar cases.
The Irish DPC initially did not propose a fine alongside the suspension order, but four other EU supervising authorities disagreed. The record fine was subsequently included after a ruling by the European Data Protection Board. The DPC has taken a firm stance with Meta, levying the highest fines among tech companies and initiating 10 additional investigations into various platforms owned by the social media giant. These actions underscore the EU’s commitment to enforcing the General Data Protection Regulation introduced in 2018 and its determination to protect user data privacy.