The Irish Data Protection Authority has fined Meta a whopping $1.95 billion (€1.2bn) because Facebook transferred user data from the EU to the US.
It’s the largest penalty in GDPR history.
Chair of the European Data Protection Board, Andrea Jelinek, described Meta’s infringement as “very serious” because it involved “systematic, repetitive and continuous” transfers of personal data.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive,” she said.
“The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
International data transfers are protected under the General Data Protection Regulation (GDPR) which states that personal data can only be moved to another country if there are “appropriate safeguards” that maintain the data rights of individuals.
An Austrian man named Maximillian Schrems had initially complained about Facebook to European regulators in 2013 saying the social media company should not have transferred his personal data to its US servers because it couldn’t guarantee protection from the extensive US surveillance activities revealed by whistleblower Edward Snowden.
The Schrems case led to a serious examination of the nature of the internet and the jurisdiction of the US National Security Authority (NSA) with European courts finding its activities should not extend to EU citizens.
In July 2020, the Court of Justice of the European Union (CJEU) made a judgement that defined a strict interpretation of how the GDPR governs data transfers, finding the movement of user data from Facebook’s Irish data centres to ones in the US was indeed captured by European regulation.
The tech giant was forced to remediate its data practices.
What the Irish Data Protection Authority has found in its latest inquiry is that Meta/Facebook has failed to adequately fix its data handling processes and that the US company “did not address the risks to the fundamental rights and freedoms of data subjects”.
Meta must stop transferring any European data to the US for five months.
Just over a year ago, leaked internal documents from Facebook showed concern that the company had lost control over its user data with the summary warning that Facebook does not “have an adequate level of control and explainability over how our systems use data”.
Meta’s head of global affairs Nick Clegg and chief legal officer Jennifer Newstead said Meta would appeal the fine.
“We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts,” they said in a statement.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
Facebook – which became Meta in 2021 – has long faced regulatory issues because of its handling of personal data.
In 2019, it copped a $7 billion fine from the US Federal Trade Commission (FTC) for mishandling user data.
Australia’s Information Commissioner is also in the process of suing Meta for the Cambridge Analytica scandal that saw the data of more than 300,000 Australians scraped through a personality quiz.