By Mark McSherry
Facebook owner Meta Platforms has been hit by a record €1.2 billion fine by its lead European Union privacy regulator over its handling of user information — and given five months to stop transferring users’ data to the United States.
The fine, imposed by Ireland’s Data Protection Commissioner (DPC), came after Meta continued to transfer data beyond a 2020 EU court ruling that invalidated an EU-US data transfer pact.
Meta has also been given six months to stop “the unlawful processing, including storage, in the US” of transferred personal EU data.
The legal fight over where Meta’s Facebook stores its data began about 10 years ago after Austrian privacy campaigner Max Schrems brought a legal challenge over the risk of US snooping after disclosures by former US National Security Agency contractor Edward Snowden.
“The Data Protection Commission has today announced the conclusion of its inquiry into Meta Platforms Ireland Limited, examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service …” said the DPC.
“The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
“While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (SCCs) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”
Meta said in a statement that it will appeal the ruling, including the “unjustified and unnecessary” fine that “sets a dangerous precedent for countless other companies.”
It said it will also seek a stay of the suspension orders through the courts.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos,” Meta said.
Austrian privacy campaigner Schrems said Meta’s plans to rely on the new deal for transfers going forward was unlikely to be a permanent fix.
“In my view, the new deal has maybe a 10% chance of not being killed by the CJEU (EU Court of Justice). Unless U.S. surveillance laws gets fixed, Meta will likely have to keep EU data in the EU,” he said in a statement.