Meta Fined €1.2 Billion by EU Regulators for Transferring Facebook User Data to US Servers in Violation of GDPR

Meta, formerly known as Facebook, has been fined a record-breaking €1.2 billion ($1.3 billion) by European Union regulators for violating EU privacy laws by transferring the personal data of Facebook users to servers in the United States.[0] The Irish Data Protection Commission cited the fact that Meta’s continued data transfers to the US did not address “the risks to the fundamental rights and freedoms” of people whose data was being transferred across the Atlantic. The regulator also ordered Meta to “suspend any future transfer of personal data to the US within the period of five months” from the decision and bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months.[1] Meta responded to the decision by saying that it would appeal and seek a stay of the order through the courts, stating that the decision was “flawed” and “unjustified” and set a “dangerous precedent” for other companies transferring data between the EU and US.[2]

In the past, the transfer of data between the US and Europe was regulated by a framework known as the “Privacy Shield”, which permitted the data to be transmitted provided that US companies demonstrated their adherence to appropriate data protection measures.[3] However, in 2020, the European Court of Justice declared the Privacy Shield invalid as it did not protect data from being scraped by US surveillance programs.[4] Since then, EU and US regulators have been working on a new data framework to facilitate the safe transfer of EU citizens’ personal data to the United States. Meta said last month that it expected the new pact to be fully implemented before it had to suspend transfers.[0]

The fine is the largest ever levied under GDPR, and the previous record of €746 million ($805.7 million) was imposed on Amazon in 2021.[5] Meta’s ability to transfer users’ data to the US is critical to providing a global social network, and the company argues that the ability for data to be transferred across borders is fundamental to how the global open internet works.[6] However, EU regulators have been concerned that US surveillance programs could allow personal data to be accessed by US authorities and have been pushing for greater data protection. The ability to transfer data across borders is a critical issue for businesses and organizations that rely on data sharing to operate and provide services.[7]

The decision by the Irish Data Protection Commission to fine Meta was not unanimous, with four other national regulators in the bloc opposing a monetary fine.[8] The European Data Protection Board, comprised of EU data watchdogs, ultimately decided to impose the fine.[8] Meta’s use of a legal instrument known as standard contractual clauses (SCCs) to move data to the U.S. was not blocked by any court of the EU, but the Irish data watchdog said that the clauses were adopted by the European Commission, the EU’s executive arm, in conjunction with other measures implemented by Meta. Nevertheless, the regulator pointed out that the aforementioned agreements failed to manage the hazards to the basic rights and freedoms of data subjects, which were previously recognized by the European Court of Justice.[9]

0. “Facebook given record US$1.3 billion fine, given 5 months to stop EU-US data flows” CNA, 22 May. 2023, https://www.channelnewsasia.com/business/facebook-given-record-us13-billion-fine-given-5-months-stop-eu-us-data-flows-3506166

1. “Data Protection Commission announces conclusion of inquiry into Meta Ireland | 22/05/2023” Data Protection Commission, 22 May. 2023, https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland

2. “EU accused of breaking up the internet after Facebook owner fined record £1bn” The Telegraph, 22 May. 2023, https://www.telegraph.co.uk/business/2023/05/22/meta-fined-data-transfers-eu-regulators-us

3. “Meta hit with record-breaking $1.3 billion fine over Facebook data transfers to the US” The Verge, 22 May. 2023, https://www.theverge.com/2023/5/22/23732461/meta-eu-privacy-fine-us-data-transfers-1-3-billion

4. “Meta fined a record $1.3 billion over EU user data transfers to the U.S.” CNBC, 22 May. 2023, https://www.cnbc.com/2023/05/22/meta-fined-record-1point3-billion-over-eu-user-data-transfers-to-the-us-.html

5. “Facebook owner Meta hit with record £1bn fine for breach of EU data regulations” Sky News, 22 May. 2023, https://news.sky.com/story/meta-hit-with-record-1bn-fine-for-breach-of-eu-data-regulations-12886729

6. “Meta warns its record $1.3 billion fine sets ‘dangerous precedent’” Business Insider, 22 May. 2023, https://www.businessinsider.com/meta-warns-its-record-13-billion-fine-sets-dangerous-precedent-2023-5

7. “Meta fined $1.3bn over transfer of EU user data to the US” Al Jazeera English, 22 May. 2023, https://www.aljazeera.com/news/2023/5/22/meta-fined-1-3bn-for-transferring-eus-user-data-to-the-us

8. “Facebook owner Meta fined €1.2bn for mishandling user information” The Guardian, 22 May. 2023, https://www.theguardian.com/technology/2023/may/22/facebook-fined-mishandling-user-information-ireland-eu-meta

9. “Meta fined a record $1.3 billion over E.U. user data transfers to the U.S.” NBC News, 22 May. 2023, https://www.nbcnews.com/news/world/meta-fined-record-13-billion-eu-user-data-transfers-us-rcna85515