In a landmark decision, Meta has been slapped with a colossal €1.2 billion ($1.3 billion) fine by European Union authorities for violating EU privacy laws. The core issue at hand involves the contentious transfer of personal data belonging to Facebook users to servers based in the United States.
The ruling was announced today by the European Data Protection Board, following a comprehensive inquiry into Facebook’s operations, spearheaded by the Irish Data Protection Commission. The commission acts as the chief watchdog regulating Meta’s operations within Europe.
We obtained a copy of the decision for you here.
This decision underscores the ongoing debate and legal complexity surrounding the mechanisms global companies can employ to transfer the data of EU users to overseas servers.
EU regulators stressed that Meta’s handling and storage of personal data on American servers infringe the provisions of Europe’s flagship data privacy regulation, the General Data Protection Regulation (GDPR). Specifically, Chapter 5 of the GDPR establishes the conditions for the transfer of personal data to countries outside of the EU or to international organizations.
This penalty represents the heftiest fine ever issued under the GDPR, comfortably surpassing the previous record of €746 million ($805.7 million) inflicted on Amazon in 2021.
Meta has also been instructed to cease processing the personal data of European users on US servers within the next six months.
Describing Meta’s violation as “systematic, repetitive, and continuous,” Andrea Jelinek, chair of the European Data Protection Board, stressed the severity of the infringement. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine sends a powerful message to organizations about the significant repercussions of serious infringements,” Jelinek added.
Meta, the tech conglomerate that also owns WhatsApp and Instagram, has pledged to appeal the ruling and the associated fine, insisting that there would be no immediate disruption to Facebook services in Europe.
According to the company, the root of the contention lies in the “conflict of law” between US rules governing access to data and the privacy rights of Europeans. Meta expressed optimism that EU and US policymakers were on a “clear path” toward resolving this conflict under a newly proposed transatlantic Data Privacy Framework.
“Thousands of businesses and organizations rely on the ability to transfer data between the EU and the US to operate and provide everyday services,” Meta said in a statement. “This is not about one company’s privacy practices – there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer. We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.”