Meta, the owner of Facebook, has been slapped with a record-breaking fine of €1.2 billion ($1.3 billion) by Ireland’s Data Protection Commission (DPC) for unlawfully transferring European Union (EU) user data to the United States. The DPC, acting on behalf of the EU, announced the penalty following an investigation that began in 2020. The European Data Protection Board (EDPB) ordered the DPC to collect the administrative fine, citing Meta’s failure to address the risks to data subjects’ fundamental rights and freedoms as previously highlighted by the Court of Justice of the European Union (CJEU).
Meta, whose European headquarters are located in Dublin, expressed disappointment at being singled out and criticized the ruling, claiming it to be flawed, unjustified, and setting a dangerous precedent. The company’s President of Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead, stated in a blog post that they intend to appeal both the decision and the associated orders, seeking a stay through the courts to pause the implementation deadlines. The DPC referred the objections raised by Meta to the EDPB after failing to achieve a consensus. The EDPB subsequently ruled that Meta Ireland must halt future transfers of personal data to the United States and pay the substantial fine.
Clegg and Newstead criticized the EDPB’s decision, raising concerns about the implications and emphasizing that the US has made significant efforts to align with European rules compared to other countries. This latest fine adds to the growing list of penalties imposed on Meta by EU regulators over data breaches related to its Instagram, WhatsApp, and Facebook platforms. It marks the third fine imposed on the company in the EU this year and the fourth in just six months. In a similar vein, Amazon was fined €746 million in Luxembourg in 2021 for violating the EU’s General Data Protection Regulation. Meta’s intention to appeal underscores the ongoing tensions surrounding data transfers between the EU and the US and highlights the broader regulatory challenges faced by tech giants in relation to data protection and privacy.