Facebook’s parent Meta has been ordered to pay a record $1.3 billion (€1.2 billion) fine by the European Union, for failing to adhere to the bloc’s stringent privacy rules, in the latest severe financial penalty handed to an American tech giant by the EU.
The ruling was issued by the Irish Data Protection Commission, Meta’s chief regulator in the EU, as the company’s regional headquarters are located in Dublin.
The amount is the largest fine issued under the European Union’s General Data Protection Regulation, which has previously snagged the likes of Amazon and Google.
The Irish DPC said its investigation into Meta found that the company failed to address the risks to “the fundamental rights and freedoms” of EU citizens whose data it was transferring to the U.S.
Aside from the record fine, the regulator has ordered Meta to suspend “any future transfer of personal data” to the U.S. within the next five months.
Meta also has been given six months to stop the “unlawful processing” and storage of personal data of EU residents in the U.S.
In a lengthy blog post, Meta’s chief legal officer Jennifer Newstead and top spokesperson Nick Clegg said the penalty is “flawed” and “unjustified,” setting a “dangerous precedent for the countless other companies transferring data between the EU and US.”
The Irish DPC’s decision is part of a wider tussle between the European Union and American tech companies over cross-border data flows. Tech companies have long argued that the free flow of data across borders is essential for a global internet and attempts to prevent this will fragment the web and dramatically raise costs. In 2020, the European Court of Justice canceled a data flow agreement between the U.S. and the EU due to concerns over the surveillance practices of U.S. law enforcement and intelligence agencies. Since then, American and European officials have been working together to come up with a new data flow agreement, which is expected to be finalized later this year. U.S. tech giants, left in legal limbo in the meantime, have relied on alternate methods to transfer data, including something called standard contractual clauses (SCCs). The DPC’s investigation, however, found that Meta’s use of the SCCs failed to mitigate the risks identified by the European top court’s ruling.
In its statement, the DPC said it disagreed with the fine imposed on Meta, but it was forced to go ahead with it due to a decision by the pan-EU European Data Protection Board (EDPB). The EDPB’s intervention came after the DPC’s original ruling in the case—which only suspended Facebook’s data flows—faced opposition from four other national regulators in the bloc, who demanded a monetary fine.
New York-listed shares of Meta actually rose 2.5% in early trading, hovering near a 15-month high.