The European Union has hit Meta Platforms, the parent company of Facebook, Instagram and WhatsApp, with a €1.2 billion (USD $1.3 billion) fine for privacy violations, the largest such fine ever issued by EU regulators.
The Irish Data Protection Commission (DPC) – which has jurisdiction over Meta’s activities in Europe because of the US tech giant’s headquarters in Dublin – announced the fine on Monday (May 22).
The commission found that Meta had violated the EU’s General Data Protection Regulation (GDPR) by shuttling Facebook users’ data to the US without the necessary safeguards in place to ensure the US wasn’t surveilling European users’ data.
The European Data Protection Board, which coordinates the activities of EU member states’ privacy commissions, “found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” EDPB Chair Andrea Jelinek said in a statement.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
Meta had previously warned that, unless the European Union and the US come to an agreement on sharing of user data, it could shut down its services in the EU.
However, the commission gave Meta until October to delete or move back to the EU the personal data of Facebook users in EU member countries. Before that deadline arrives, it’s expected that the US and EU will have come to an agreement on new data protection regulations that will allow US companies to continue storing European user data in the US, Politico reports.
Facebook had relied on a previous US-EU agreement, known as Privacy Shield, for its transfers of European user data to the US, as well as legal tools known as standard contractual clauses (SCCs) that govern the transfer of personal data from the EU to other countries.
However, in 2020, the Court of Justice of the European Union (CJEU) struck down Privacy Shield as invalid, on the argument that the agreement didn’t do enough to protect EU citizens from surveillance carried out by the US government. It also narrowed the use of SCCs.
In its announcement of the ruling Monday, the DPC said that Facebook’s SCCs “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
Nick Clegg and Jennifer Newstead, Meta Platforms
In a statement issued Monday following publication of the DPC’s ruling, Nick Clegg, President of Global Affairs at Meta, and Jennifer Newstead, Meta’s Chief Legal Officer, warned that if the US and EU didn’t resolve their differences on privacy regulations, it could jeopardize billions of dollars’ worth of transatlantic trade.
“There is a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” the statement read.
Clegg and Newstead’s statement also noted that the Irish Data Protection Commission had decided, in its initial ruling of July 2022, not to fine Meta over the violation.
However, four of the DPA’s peer organizations – which Politico identified as being agencies from Austria, France, Germany and Spain – challenged that decision, insisting that Meta face an administrative fine, and a requirement that it move users’ data back to Europe.
The DPC took the matter to the EDPB, which ruled that Meta should face a fine, and be required to stop sending EU users’ data to the US within five months of it being notified of the ruling, which reportedly took place on May 12.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” Meta’s Clegg and Newstead said in their statement.
“It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.”
Prior to Monday’s ruling, the steepest penalty ever handed down by EU privacy regulators was a €746 million fine against online retailer Amazon, relating to the way the company obtained consent for targeted advertising.
Meta has also recently found itself in conflict with a US regulator – the Federal Trade Commission, which earlier this month said Meta “has failed to fully comply” with a 2020 privacy order, “misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.”
The FTC proposed a ban on Meta monetizing the data of under-18 users, a move that Meta described as a “political stunt.”Music Business Worldwide