Meta, a US technology company, has been fined a record €1.2 billion ($1.3 billion) for transferring European consumers’ personal data to US servers.
According to the Irish Data Protection Commission, which oversees Meta’s operations in the EU, the firm violated the EU’s General Data Protection Regulation (GDPR) by continuing to export EU individuals’ personal data to the US notwithstanding a 2020 European court judgement banning such a practice.
According to the privacy watchdog, Meta’s use of standard contractual clauses (SCCs) to transmit data to the US “did not address the risks to the fundamental rights and freedoms” of Facebook’s European users raised by a landmark judgement from the EU’s top court.
Over fears of surveillance by American intelligence services, the European Court of Justice approved the Privacy Shield, an EU-US data transfers agreement, in 2020. It also strengthened the rules for employing SCCs, which are commonly used by businesses to transfer personal data to the US.
The Irish Data Protection Commission urged Meta on Monday to “suspend any future transfer of personal data to the US within five months” of the ruling.
The penalties of $1.3 billion is the biggest ever assessed for breaking the GDPR privacy rules. Amazon was previously fined €746 million for failing to comply with data processing standards in 2021.
Meta stated that it would appeal both the ruling and the fine.
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Meta’s president of global affairs, Sir Nick Clegg, and Jennifer Newstead, the company’s chief legal officer, stated on Monday.
According to reports, the EU and the US are nearing completion of a new data flow agreement, which could be signed as early as July or as late as October. Meta has until October 12 to discontinue reliance on SCCs for data transport.
The internet behemoth has warned that if it is forced to cease using SCCs without a proper alternative data flow agreement in place, it may be compelled to shut down services such as Facebook and Instagram in Europe.
