Meta, the parent company of social media giants Facebook and Instagram, has been hit with the largest privacy fine in the history of the European Union — a staggering €1.2 billion ($1.3 billion) for failing to comply with the General Data Protection Regulation (GDPR). This landmark decision, issued by the Irish Data Protection Commission and the European Data Protection Board, further orders Meta to cease the transfer of data from European users to the United States — a move considered to be a significant risk to user privacy.
The decision has roots in a case brought forward by Austrian privacy campaigner Max Schrems, who argued that the framework for transferring EU citizen data to America did not sufficiently protect Europeans from US surveillance. Despite previous mechanisms to legally transfer personal data between the US and the EU, the latest iteration, Privacy Shield, was struck down by the European Court of Justice, the EU’s top court, in 2020.
The Irish Data Protection Commission has now instructed Meta to “suspend any future transfer of personal data to the US within the period of five months” from the decision. Meta used a mechanism called standard contractual clauses to transfer personal data in and out of the EU, but this method was challenged as it failed to address the risks to the fundamental rights and freedoms of data subjects identified by the European Court of Justice.
This fine eclipses previous record-breaking penalties imposed on Meta’s subsidiaries; Instagram was fined €405 million in 2022, and WhatsApp was penalized €225 million in 2021. The previous record fine by the EU was €746 million, levied against Amazon in 2021 for similar violations.
Meta has expressed its displeasure at the ruling, branding the fine as “unjustified and unnecessary,” and arguing that it is just one of thousands of companies doing the same. “We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, chief legal officer at the company, stated in a blog post.
The case puts the spotlight back on the EU and Washington’s efforts to establish a new data transfer mechanism. Last year, the US and EU agreed “in principle” to a new framework for cross-border data transfers, but this fresh pact has yet to be implemented. Meta hopes that this new EU-U.S. data privacy agreement will be in place before the Irish regulator’s deadlines come into effect, allowing its services to continue without disruption or impact on users.
The court decision gives Meta five months to stop transferring data to the US and six months to cease storing current data on EU residents in the US. As the saga continues, this ruling sends a strong message about the importance of user privacy and the lengths that regulatory bodies are willing to go to protect it. The world will be watching closely to see how Meta navigates this unprecedented challenge.