Meta has been fined 1.2 billion euros by the EU and ordered to suspend user data transfers to the US, in the biggest sanction imposed on a Big Tech company on the bloc for violation of privacy.
Ireland’s Data Protection Commission, which oversees the General Data Protection Regulation, fined Meta on Monday, saying Facebook had breached its rules requiring platforms to ensure that data transfers from Europe to the United States have appropriate safeguards.
Instead, the DPC found that the platform’s EU-US data feeds relied on contractual clauses that “did not address risks to fundamental rights and freedoms” of users, despite a earlier ruling by the EU Court of Justice ordering it to better protect personal information from invasive US surveillance programs.
The record EU fine for breaching privacy comes after the Luxembourg regulator imposed a 746 million euro fine on Amazon in 2021.
According to the DPC, Facebook’s European operation also has five months to “suspend any future transfers of personal data to the United States” and six months to cease processing – including storing – all citizens’ personal information. Europeans in the United States who were previously transferred. in violation of the GDPR.
Nick Clegg, President of Global Business at Meta, said, “We are. . . disappointed to have been singled out for using the same legal mechanism as thousands of other companies seeking to provide services in Europe.
He added: “This decision is wrong, unjustified and sets a dangerous precedent for the countless other companies that transfer data between the EU and the US.”
The fine comes as Meta, which has a market capitalization of $630 billion, battles a slump in advertising amid a broader economic downturn, prompting chief executive Mark Zuckerberg to carry out several rounds of layoffs and layoffs. promise to deliver a “year of efficiency”.
It’s the latest in a string of fines levied on the social media giant globally for lax privacy protections, including a $5 billion fine imposed by the Federal Trade Commission in 2019 in the wake of the Cambridge Analytica scandal.
The Irish regulator has drawn criticism from privacy campaigners and other data watchdogs across the bloc for not having the ambition to go after big tech companies either by imposing fines deemed too weak, or by not taking care of business in the first place.
Irish officials will likely point to this fine as the final proof of proper enforcement of the rules.
Social media platforms have been in limbo since an EU court ruling in 2020 found that a previous EU-US Privacy Shield could not be invoked by companies seeking to to comply with the GDPR, as it did not sufficiently protect user data from US surveillance.
Last year, Meta threatened to pull out of the EU if the Irish data protection authority banned data flows between the EU and the US, which would seriously disrupt its business.
The company is expected to appeal the DPC’s decision, during which time a new Transatlantic Privacy Shield could come into place. In October 2022, US President Joe Biden signed an executive order detailing the steps the White House will take to adhere to a new EU-US data privacy framework currently under negotiation.