Meta fined a record $1.3 billion over EU user data transfers to the U.S.
European privacy regulators have fined Meta a record-breaking 1.2 billion euros ($1.3 billion) over the transfer of EU user data to the U.S. The decision comes after Australian privacy campaigner Max Schrems contested the framework for transferring EU citizen data to America, arguing that it did not protect Europeans from U.S. surveillance. The Irish Data Protection Commission that oversees Meta’s operations in the EU found the company infringed the bloc’s General Data Protection Regulation (GDPR) when it transmitted European citizens’ personal data to the U.S despite the 2020 European court ruling. The GDPR is the EU’s landmark data protection regulation that governs firms in the bloc.
Meta used a mechanism known as standard contractual clauses to move personal data in and out of the EU, but the regulator said these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified” by the European Court of Justice. The Irish Data Protection Commission has also ordered Meta to “suspend any future transfer of personal data to the US within the period of five months” from the decision. Meta said it would appeal the decision and the fine.
The Meta case is set to shift the spotlight back to the U.S. and the EU’s campaign to reach agreement on a new data transfer mechanism. The U.S. and EU agreed “in principle” to a new framework for cross-border data transfers in 2021 but the new pact has yet to come into effect.
FAQs
What did Max Schrems, the Australian privacy campaigner, contest about the framework for transferring EU citizen data to the U.S.?
Max Schrems argued that the framework did not protect Europeans from U.S. surveillance.
What is GDPR?
GDPR stands for General Data Protection Regulation, the EU’s landmark data protection regulation that governs firms in the bloc. It came into effect in 2018.
What mechanism did Meta use to transfer personal data in and out of the EU?
Meta used standard contractual clauses.
What was the Irish Data Protection Commission’s finding on the use of standard contractual clauses by Meta?
The regulator said that these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified” by the European Court of Justice.
What was the previous largest fine for breaching GDPR?
The previous largest fine was a 746 million euro charge for e-commerce giant Amazon for breaching GDPR in 2021.
What has been ordered by the Irish Data Protection Commission to Meta?
Meta has been ordered to “suspend any future transfer of personal data to the US within the period of five months” from the decision.
EU imposes record $1.3 billion fine on Meta for transferring user data to the U.S.
Meta, formerly known as Facebook, has been hit with a record €1.2 billion ($1.3 billion) fine by European privacy regulators due to the transfer of EU user data to the US. The decision was made in response to a case brought by Australian privacy campaigner Max Schrems, who argued that the framework for transferring EU citizen data to America did not protect Europeans from US surveillance. Multiple mechanisms to legally transfer personal data between the US and the EU have been contested, including Privacy Shield, which was struck down by the European Court of Justice in 2020.
The Irish Data Protection Commission, which oversees Meta’s operations in the EU, alleges that the company infringed the bloc’s General Data Protection Regulation (GDPR) when it continued to send the personal data of European citizens to the US despite the European Court of Justice ruling. GDPR is the EU’s landmark data protection regulation that governs firms active in the bloc, and Meta used a mechanism called standard contractual clauses to transfer personal data in and out of the EU.
The Irish data watchdog said that the clauses were adopted by the European Commission, the EU’s executive arm, in conjunction with other measures implemented by Meta. However, the regulator said these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified” by the European Court of Justice.
Ireland’s Data Protection Commission also told Meta to “suspend any future transfer of personal data to the US within the period of five months” from the decision. The €1.2 billion punishment for Meta is the highest any company has ever been fined for breaching GDPR. The previous largest fine was a €746 million charge for e-commerce giant Amazon for breaching GDPR in 2021.
Meta said it would appeal the decision and the fine. The Meta case will likely put focus back on the EU and Washington’s push to get a new data transfer mechanism agreed. The US and EU “in principle” agreed to a new framework for cross-border data transfers last year, but the new pact has not yet come into effect.