Facebook Owner Meta Fined €1.2bn For Mishandling User Information3 min read
The fine – equivalent to $1.3bn – imposed by Ireland’s Data Protection Commission (DPC), which regulates Meta across the EU, is a record for a breach of the bloc’s General Data Protection Regulation (GDPR).
The suspension of Facebook data transfers is not immediate and Meta has been given five months to enact it.
The DPC punishment relates to a legal challenge brought by an Austrian privacy campaigner, Max Schrems, over concerns resulting from the Edward Snowden revelations that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across the Atlantic.
The ruling does not impact data transfers at Meta’s other main platforms, Instagram and WhatsApp. Meta said it would appeal against the decision and seek a stay on the data transfer order.
The DPC said Meta infringed GDPR by continuing to transfer EU user data to the US despite a ruling by the European court of justice requiring strong protection of that information. The regulator said data transferred by Facebook under a legal instrument called standard contractual clauses “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [court of justice] in its judgment”.
Meta said it had been “singled out” by the DPC despite thousands of other businesses using the same data transfer processes.
“We are … disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” wrote Nick Clegg, the Meta president of global affairs, and Jennifer Newstead, the Meta chief legal officer, in a blog post on Monday.
Clegg and Newstead added: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.” They said the internet risks being carved up into national and regional silos as a result.
A spokesperson for the European Commission – the EU’s executive arm – said it hoped a new framework for transatlantic data transfers would be “fully functional by the summer” which would provide the “stability and legal certainty” sought by US tech companies. Facebook would be able to resume data transfers under the new data regime, which has been agreed between Washington and Brussels at a political level but still requires agreement on implementation.
The spokesperson said it was “very clear” that the EU had worked with the US on putting “safeguards” protecting consumer data in place and it hoped to restore legal certainty.
The blog said there would be “no immediate disruption” to Facebook’s service in the EU because of the grace period announced by the DPC. However, in Meta’s most recent quarterly results, the company said that without SCCs or “other alternative means of data transfers” it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe”.
The DPC said it had disagreed with other EU regulators over Meta’s punishment, which resulted in the European Data Protection Board, comprised of EU data watchdogs, stepping in to decide whether a fine should be imposed.
Mark Deem, a partner at the UK law firm Wiggin, said the size of the fine would send a warning to other businesses that transfer personal data outside the EU.
“One of the purposes of the figure is to serve as a warning to other companies about how they handle international data transfers,” he said