Meta fined a record $1.3 billion for transferring EU user data to the US

Meta: was fined a record €1.2 billion ($1.3 billion) by European privacy regulators for transferring EU user data to the US.

The decision is linked to a case brought by Austrian privacy campaigner Max Schrems, who argued that the framework for transferring EU citizens’ data to America did not protect Europeans from US surveillance.

Several mechanisms for the legal transfer of personal data between the US and the EU have been contested. The most recent such iteration, Privacy Shield, was struck down by the European Court of Justice, the EU’s highest court, in 2020.

Ireland’s Data Protection Commission, which overseas Meta’s operations in the EU, alleged the company breached the bloc’s General Data Protection Regulation (GDPR) when it continued to send the personal data of European citizens to the US despite a 2020 European Court ruling.

GDPR is the EU’s most important data protection regulation that governs companies active in the bloc. It entered into force in 2018.

Meta used a mechanism called standard contractual clauses to transfer personal data in and out of the EU. This has not been blocked by any EU court. The Irish data watchdog said the provisions were adopted by the European Commission, the EU’s executive body, in conjunction with other measures being implemented by Meta. However, the regulator said these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that have been identified” by the European Court of Justice.

Ireland’s Data Protection Commission also told Meta to “suspend further transfers of personal data to the US” within five months of the ruling.

The €1.2 billion penalty for Meta is the largest ever fined for a GDPR breach. The previous largest fine of €746 million was levied on e-commerce giant Amazon for GDPR violations in 2021.

Meta said he would appeal the decision and the fine.

“We are appealing these rulings and will immediately seek a stay from the courts that could stay the enforcement dates, given the harm these orders could cause, including to the millions of people who use Facebook every day,” Meta’s president Nick Clegg. global affairs, and the company’s general counsel, Jennifer Newsted, said in a blog post on Monday.

The Meta case has re-focused efforts by the EU and Washington to agree on a new data transfer mechanism. The US and EU agreed “in principle” on a new framework for cross-border data transfers last year. However, the new contract has not yet entered into force.

Meta hopes that this EU-US data privacy agreement will be approved before the Irish regulator’s deadlines come into effect.

If the new framework “is up and running by the end of the implementation period, our services can continue as they do today without any disruption or impact to users,” Clegg and Newstead said.

Correction: This story has been updated to reflect Max Schrems’ Austrian nationality.