Privacy authorities from the European Union have slapped a record-breaking fine of 1.2 billion euros ($1.3 billion) on Meta Platforms, the parent company of Facebook, for sending user data to the US. Authorities have also given a deadline by which Meta must cease all personal data transfers across the Atlantic.
The Irish Data Protection Commission revealed that Meta breached the General Data Protection Regulation (GDPR) when it transferred the personal data of Europeans to the US without sufficiently protecting them from “surveillance programmes” operated by the US government.
The Irish privacy watchdog pointed out concerns about NSA spy programs:
They said that Meta’s data transfers didn’t address “the risks to the fundamental rights and freedoms” of Facebook’s European users, resulting in the 1.2 billion euro fine. This amount eclipsed the 746 million euro fine by the EU against Amazon over privacy breaches.
The Irish privacy watchdog said Meta must also “suspend any future transfer of personal data to the US” and has about six months to halt “the unlawful processing, including storage, in the US” of European user data.
“The ban on data transfers was widely expected and once prompted the US firm to threaten a total withdrawal from the EU,” Bloomberg said.
There was one attempt to create a mechanism to transfer personal data from the EU to the US legally, but that was struck down several years ago by a European court over fears US spy agencies would have access to the data.
The EU’s data protection regulation, GDPR, came into effect in 2018 and has governed how tech companies handle customer data. Politico noted the largest GDPR privacy law fines over the past five years included some of the biggest tech companies:
Meta responded to Monday’s decision, calling the fine “unjustified and unnecessary.” The social media giant said it would appeal the ruling and highlighted no immediate disruption to EU Facebook users.
Nick Clegg, Meta’s president of global affairs, stated:
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
Today’s action by the EU is the largest-ever fine for a company breaching GDPR.