Meta Slammed with €1.2 Billion Fine Over EU-US Data Transfers

Facebook and Instagram owner Meta has been hit with a record €1.2 billion fine for mishandling people’s data when transferring data between the EU and the United States.

Issued by Ireland’s Data Protection Commission (DPC), the fine links back to a case brought by Austrian privacy campaigner Max Schrems who argued that the framework for transferring EU citizen data to America did not protect Europeans from U.S. surveillance and broke GDPR laws. 

The penalty is the largest ever to be imposed for breaches of GDPR and relates to Meta’s transfer of personal data to the US on the basis of stand contractual clauses (SCC) since 16 July 2020. 

The DPC and the European Data Protection Board (EDPB), says using SCCs to facilitate data transfers fails to adequately protect European personal data.

"The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous," Andrea Jelinek, chair of the EDPB said in a statement. 

"Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."

‘Unjustified and unnecessary’

This is not the first time Meta has found itself on the DPC’s firing line for the way it handles user data. Last November Meta was slapped with another $275 GDPR fine for failing to protect its users’ data from hackers. 

It has also recently come under fire from the US Federal Trade Commission (FTC) which has threatened to ban Meta from profiting from minors’ data after accusing the tech giant of failing to implement proper parental controls. 

A bit earlier than expected, but the Meta data transfers decision is out. Transfers suspended, data-deletion order, and a 1.2 billion euro fine. The most consequential GDPR enforcement action so far.

— Sam Clark (@sgclark92) May 22, 2023

Many large US tech companies have complex webs of data transfers – including email addresses, phone numbers and financial information – to overseas recipients. 

Many of which depend on SCCs. Meta says that their broad use makes the fine unfair, calling the decision “unjustified and unnecessary." 

"We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe, said Nick Clegg President of Global Affairs of Facebook in a blog post on Monday. 

"This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and the US."

Privacy advocates, however, have welcomed the move. Caitlin Fennessy, of the International Association of Privacy Professionals, said: "The size of this record-breaking fine is matched by the significance of the signal it sends.”

To read more about GDPR and GRC, visit our dedicated Business Continuity Page. 

"Today's decision signals that companies have a whole lot of risk on the table. It could make EU companies demand US partners stored data within Europe - or switch to domestic alternatives,” she added.

Regardless, Glegg added that Meta would appeal the DPC’s ruling. 

“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Glegg added

The fragmentation of EU-US data

As well as the hefty fine, Meta has been ordered to bring its data practices in line with GDPR by halting the unlawful processing of data within five months.

Since this includes the storage of EU data in the US, the decision throws the future EU-US data transfer into a state of uncertainty. 

2/ ... the fine recommended by the EDPB (up to 100% of the GDPR limit) and the EDPB's assessment of Meta's "negligence" suggest that this is less about enforcing the GDPR and more about a crusade against (U.S.) Big Tech. As the Irish DPC noted: pic.twitter.com/HhrJYV7U9t

— Mikołaj Barczentewicz (@MBarczentewicz) May 22, 2023

In October last year, President Biden signed an Executive Order aimed at introducing new data protection safeguards for European citizens, but this new Data Privacy Framework DPF still needs to be finalised.

The Computer & Communications Industry Association (CCIA) is calling for a speedy resolution to protect the flow of data from the EU. 

"To keep data flowing between the US and EU and to preserve the strength of our mutually beneficial trading relationship, prompt implementation of President Biden’s Executive Order is vital," says CCIA president Matt Schruers.

"We look forward to the US administration swiftly completing the implementation of all privacy safeguards and redress mechanisms that the Executive Order seeks to introduce."