Meta has been hit with a €1.2bn fine by the EU and ordered to suspend transfers of user data to the US, in the largest penalty to be imposed against a Big Tech company in the bloc over privacy violations.
Ireland’s Data Protection Commission, which oversees the General Data Protection Regulation, on Monday handed down the fine for Meta, saying that Facebook had violated its rules requiring platforms to ensure data transfers from Europe to the US have appropriate safeguards in place.
Instead, the DPC found that the platform’s EU-US data flows had relied on contractual clauses that “did not address the risks to the fundamental rights and freedoms” of users, despite an earlier judgment from the EU’s Court of Justice mandating that it better protect individuals’ information from invasive US surveillance programmes.
The record EU fine over privacy violations comes after the Luxembourg regulator levied a €746mn sanction on Amazon in 2021.
According to the DPC, Facebook’s EU operation also has five months to “suspend any future transfer of personal data to the US” and six months to cease the processing — including storage — of any European citizens’ personal information in the US that was previously transferred in violation of GDPR.
Nick Clegg, Meta’s president of global affairs, said: “We are . . . disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.”
He added: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
The fine comes as Meta, which has a $630bn market capitalisation, is battling an advertising slump amid a broader economic slowdown, prompting chief executive Mark Zuckerberg to conduct several rounds of lay-offs and promise to deliver a “year of efficiency”.
It is the latest in a string of fines globally for the social media giant over lax privacy protections, including a $5bn penalty imposed by the Federal Trade Commission in 2019 in the wake of the Cambridge Analytica scandal.
Ireland’s regulator has drawn criticism from privacy activists and other data watchdogs in the bloc for lacking the ambition to go after Big Tech companies either by imposing fines that are seen as too small or not taking on cases in the first place.
Officials in Ireland will probably point to this fine as the latest evidence of proper enforcement of the rules.
Social media platforms have been in limbo since an EU court ruling in 2020 found that a previous EU-US privacy shield could not be relied on by companies seeking to comply with GDPR, as it did not sufficiently protect user data from US surveillance.
Meta last year threatened to pull out of the EU if Ireland’s data protection watchdog banned EU-US data flows, which would be severely disruptive to its business.
The company is expected to appeal against the DPC’s decision, during which time a new transatlantic privacy shield might come into place. In October 2022, US president Joe Biden signed an executive order detailing the measures the White House will take to adhere to a new EU-US data privacy framework that is currently being negotiated.