Meta, the parent company of Facebook, has been slapped with a record-breaking fine of 1.2 billion euros ($1.3 billion) by the Irish Data Protection Commissioner (DPC), its lead privacy regulator in the European Union. The penalty was imposed due to Meta's mishandling of user information and its failure to comply with an EU court ruling from 2020 that invalidated the EU-U.S. data transfer agreement. In addition to the fine, Meta has been given a five-month deadline to halt the transfer of users' data to the United States.
The fine, surpassing the previous record privacy penalty of 746 million euros imposed on Amazon by Luxembourg in 2021, marks a significant blow to Meta's data practices. The dispute over the storage and transfer of user data began a decade ago when Austrian privacy campaigner Max Schrems raised concerns about U.S. surveillance following revelations by former U.S. National Security Agency contractor Edward Snowden.
In response to the ruling, Meta expressed its intention to appeal, highlighting the unjustifiability and unnecessary nature of the fine, which it believes sets a dangerous precedent for numerous other companies. Meta plans to challenge the suspension orders through the courts while expecting the full implementation of a new data transfer pact that would facilitate the safe transfer of EU citizens' personal data to the United States before the suspension becomes effective.
Meta emphasized the importance of cross-border data transfers, warning that without this ability, the internet risks being fragmented into national and regional silos. The DPC previously stated that EU and U.S. officials aimed to have a new data protection framework in place by July 2022, following the annulment of the two previous pacts by the European Court of Justice due to concerns about U.S. surveillance practices.
Although Meta intends to rely on the new deal for future data transfers, privacy advocate Max Schrems expressed skepticism, suggesting that unless U.S. surveillance laws are rectified, Meta will likely be required to store EU data within the EU. The DPC's actions may serve as a precedent for other companies, given its role as the lead regulator for many major technology firms based in Ireland.
With a total of 2.5 billion euros in fines for breaches of the General Data Protection Regulation (GDPR) since its introduction in 2018, the Irish watchdog has demonstrated its determination to hold Meta accountable. The DPC's decision to impose the record fine followed a ruling by the European Data Protection Board (EDPB) and disagreements with four other EU supervisory authorities. In addition to the fine, the DPC has initiated 10 other inquiries into Meta's platforms, solidifying its position as the most fined tech company by the Irish regulator.
