Facebook’s parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S.
In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months.
Additionally, Meta has been given five months to suspend any future transfer of Facebook users’ data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous,” Andrea Jelinek, EDPB Chair, said in a statement.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
European data protection authorities have repeatedly emphasized the lack of equivalent privacy protections as that of GDPR in the U.S., potentially allowing American intelligence services to access data belonging to Europeans by virtue of them being shipped to servers located in the U.S.
The ruling stems from a legal complaint filed by Austrian privacy activist Maximilian Schrems, the founder of NOYB, almost a decade ago in June 2013 over concerns that E.U. user data is not sufficiently protected from U.S. intelligence agencies when transferred across the Atlantic.
“The simplest fix would be reasonable limitations in U.S. surveillance law,” Schrems said. “There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance.
“It would be time to grant these basic protections to E.U. customers of U.S. cloud providers. Any other big U.S. cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law.”
“Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix,” Schrems further added. “In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless U.S. surveillance laws get fixed, Meta will likely have to keep E.U. data in the EU.”
Schrems also accused the Irish Data Protection Commission (DPC) of consistently attempting to block the case from going forward and trying to shield Meta from being slapped with a fine and having to delete the data that has been already transferred, the latter two of which have been overturned by the EDPB.
Meta, in response, said it intends to appeal the ruling, calling the fine “unjustified and unnecessary” and that there is a “fundamental conflict of law” between the U.S. government’s rules on access to data and European privacy rights.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” Meta’s Nick Clegg and Jennifer Newstead said.
Last year, the company warned that if ordered to suspend transfers to the U.S., it may have to stop offering “a number of our most significant products and services” in the E.U. According to the Wall Street Journal, a new trans-Atlantic data transfer deal is expected to be finalized as a replacement for the Privacy Shield later this year.
The fine constitutes the largest ever imposed under the E.U.’s GDPR privacy laws, eclipsing the €746 million ($886.6 million at the time) fine previously doled out to Amazon in July 2021 for similar privacy violations.
The development also marks the third monetary penalty issued by the DPC this year alone. In January, the watchdog levied a fine of €390 million over its mishandling of user information to serve ads in Facebook and Instagram.
Two weeks later, it was fined €5.5 million for violating data protection laws by compelling its users to “consent to the processing of their personal data for service improvement and security” and “making the accessibility of its services conditional on users accepting the updated Terms of Service.”