EU Regulator Drops Meta with Record $1.3 Billion Fines for Data Transfer Violations
Facebook parent company Meta has been fined $1.3 billion by EU data protection regulator for transferring personal data of users in the region to the US
In a binding decision taken by the European Data Protection Council (EDPB), the social media giant has been ordered to bring its data transfers in compliance with GDPR and delete data stored and processed illegally within six months.
Additionally, Meta has been given five months to suspend future transfers of Facebook users’ data to Instagram US and WhatsApp, which is also owned by the company, is not subject to the order.
“EDPB found that the Meta IE violation was very serious because it involved systematic, repeated and continuous transfers,” Andrea Jelinek, Chair of EDPB, said in a statement.
“Facebook has millions of users in Europe, so the volume of personal data transferred is enormous. This unprecedented fine is a strong signal to organizations that serious breaches have far-reaching consequences.”
European data protection authorities have repeatedly emphasized the lack of privacy protections on par with GDPR in the US, potentially allowing American intelligence services to access data belonging to Europeans as it is sent to servers located in the US.
That power come from a legal complaints filed by Austrian privacy activist Maximilian Schrems, founder of NOYB, nearly a decade ago in June 2013 over concern that EU user data is not adequately protected from US intelligence agencies when transferred across the Atlantic.
“The simplest fix is a reasonable limit in US surveillance laws,” Schrems said. “There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval for oversight.
“It’s time to provide these basic protections to EU customers from US cloud providers. Other major US cloud providers, such as Amazon, Google or Microsoft could be subject to similar decisions under EU law.”
“Meta plans to rely on the new deal for transfers going forward, but this does not appear to be a permanent fix,” Schrems further added. “In my view, the new deal has probably a ten percent chance of not being killed by the CJEU. Unless US surveillance laws are improved, Meta will likely have to store EU data in the EU.”
Schrems also accused the Irish Data Protection Commission (DPC) of consistently trying to block cases from proceeding and trying to protect Meta from being slapped with fines and having to delete data that has been transferred, the last two of which have been reversed by the EDPB.
Meta, in response, said it intended to appeal the ruling, calling the fine “unjustified and unnecessary” and that there was a “fundamental legal conflict” between the US government’s rules on access to data and Europe’s privacy rights.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
“Without the ability to transfer data across borders, the internet risks fragmenting into national and regional silos, constraining the global economy and depriving citizens of different countries from accessing many of the shared services we have come to rely on,” Meta’s Nick Clegg and Jennifer Newstead said.
Last year, the company warned that if ordered to suspend transfers to the US, it might have to stop offering “some of our most significant products and services” in the EU According to the Wall Street Journal, a new trans-Atlantic data transfer agreement expected to be completed as a replacement Privacy Shield later this year.
The fine is the largest ever imposed under the EU’s GDPR privacy law, surpassing the €746 million ($886.6 million at the time) fine previously handed out to Amazon in July 2021 for a similar privacy breach.
The development also marks the third monetary sanction issued by the DPC this year alone. In January, the watchdog imposed a €390 million fine for mishandling user information for serving ads on Facebook and Instagram.
Two weeks later, it was fined €5.5 million for violating data protection laws by forcing its users to “consent to the processing of their personal data for the improvement and security of the service” and “making the accessibility of its services contingent on the user accepting the updated Terms of Service.”
