Meta slapped with €1.2bn fine on 'data transfers'

Mark Zuckerberg's Meta was directed to pay a whopping 1.2 billion euros ($1.3 billion) in fine by Ireland's Data Protection Commissioner (DPC) Monday, finding it liable for violating previous court rulings regarding the data transfer of European users to the US.

The DPC has been investigating the matter since 2020.

The European Union’s (EU) privacy regulator also granted Meta five months to cease the data transfers to the US.

The DPC said the European Data Protection Board (EDPB) had ordered it to collect "an administrative fine in the amount of 1.2 billion euros".

The US-EU data transfer pact was invalidated in 2020 and Meta continued the transfers beyond the invalidation of the agreement.

The fine imposed by DPC on Meta surpassed the previous 746 million euro record EU privacy fine by Luxembourg on Amazon in 2021.

Meta said that it will appeal the ruling, including the "unjustified and unnecessary fine that "sets a dangerous precedent for countless other companies." It will also seek a stay of the suspension orders through the courts.

"We intend to appeal both the decision's substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines," Meta president of global affairs Nick Clegg and chief legal officer Jennifer Newstead said in a blog post.

"There is no immediate disruption to Facebook in Europe," they added.

Meta said it hopes to see the US and EU adopt a new legal framework for the use of personal data in the coming months, following an agreement in principle last year, which could allow it to continue its data transfer practices.

Meta maintained: "Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos."

The EU and US officials hoped that the new data protection framework — agreed by Brussels and Washington in March 2022 — may be ready by July, the DPC said in March.

European Court of Justice — Europe's apex court threw out the two previous pacts over concerns about US surveillance.

Austrian privacy campaigner Max Schrems said Meta's plans to rely on the new deal for transfers in the future were unlikely to be a permanent fix.

"In my view, the new deal has maybe a 10% chance of not being killed by the CJEU [EU Court of Justice]. Unless US surveillance laws get fixed, Meta will likely have to keep EU data in the EU," he said in a statement.

The EU's Irish regulator has said the suspension order could create a precedent for other firms.

It has now fined Meta a total of 2.5bn euros for breaches under the bloc's General Data Protection Regulation (GDPR), introduced in 2018.

The DPC said that it did not initially propose adding a fine to the suspension order, but that four other EU supervising authorities disagreed and the record fine was included after a ruling by the EDPB.

In January, the DPC fined the social media giant 390m euros for violating rules of data in using targeted advertising on its apps.

In March, Meta was made to pay 5.5m euros for breaching the GDPR with its WhatsApp messaging service.

In the latest case, the DPC had initially wanted to force Meta to suspend the offending data transfers, saying that a fine "would exceed the extent of powers that could be described as being appropriate, proportionate and necessary."

"Ever since Edward Snowden's revelations on US big tech aiding the [National Security Agency] mass surveillance apparatus, Facebook [now Meta] was subject to litigation in Ireland," Schrems said.

But Schrems said far harsher sanctions could have been used as Meta had "knowingly broken the law to make a profit."

"It took us 10 years of litigation against the Irish DPC to get to this result... and risked millions of procedural costs," he added.