Meta fined $1.3bn over transfer of EU user data to the US
Facebook, Instagram owner says ruling is ‘flawed, unjustified and sets a dangerous precedent for countless other companies’.
Facebook owner Meta has been fined a record 1.2 billion euros ($1.3bn) for transferring EU user data to the United States, Ireland’s regulator says.
The Irish Data Protection Commission (DPC), which acts on behalf of the European Union, said on Monday that the European Data Protection Board (EDPB) ordered it to collect “an administrative fine”.
In response, Meta said it was “disappointed to have been singled out”, and the ruling was “flawed, unjustified and sets a dangerous precedent for the countless other companies”.
“The ability for data to be transferred across borders is fundamental to how the global open internet works,” Meta President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead said in a blog post. “… Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day.”
“We intend to appeal both the decision’s substance and its orders, including the fine, and will seek a stay through the courts to pause the implementation deadlines,” they said.
This is the largest fine imposed under the General Data Protection Regulation. In 2021, Amazon was fined 746m euros ($807m) in Luxembourg for breaching the bloc’s data protection laws.
Third fine in a year
Initially, Ireland’s DPC had wanted to force Meta to suspend the offending data transfers, saying a fine “would exceed the extent of powers that could be described as being ‘appropriate, proportionate and necessary'”.
But its peer regulators in the EU, known as Concerned Supervisory Authorities (CSAs), disagreed.
“All four CSAs took the view that Meta Ireland should be subject to an administrative fine,” the DPC said.
With no hope of consensus, the DPC referred its objections to the EDPB, which ordered that Meta Ireland suspend future transfers of personal data to the US and pay a fine.
In Meta’s blog post, the company said the EDPB decision to overrule the DPC “raises serious questions”.
“No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China,” Clegg and Newstead contended.
EU regulators have already hit Meta with fines of hundreds of millions of euros over data breaches by its Instagram, WhatsApp and Facebook services.
It is the third fine imposed on Meta so far this year in the EU and the fourth in six months.