Meta fined $1.3 billion for violating E.U. data privacy rules

Meta has been hit with a record €1.2 billion ($1.3 billion) fine for breaching the European Union’s privacy law by transferring user data to the U.S.

The ruling by Ireland’s Data Protection Commission (DPC) also requires Meta’s Facebook to suspend data transfers from the E.U. to the U.S. The ruling applies only to Facebook — not to Meta’s other social platforms — which has at least five months to comply. 

The case relates to a 2013 complaint filed by Austrian privacy campaigner Max Schrems, who argued that in light of Edward Snowden’s revelations about tech companies being subject to U.S. surveillance programmes, Facebook could not guarantee the safety of E.U. user data that was transferred to the U.S.

Schrems won a lawsuit in 2020 to strike down a U.S.-E.U. agreement known as Privacy Shield through which companies, including Facebook, were permitted to move data across the Atlantic. A new Data Privacy Framework between the two regions is currently being developed.

In its ruling on Monday, the DPC said Meta failed to comply with the 2020 order that requires companies to protect data from U.S. surveillance, after admitting that it continues to receive requests from the U.S. government to disclose users’ communications.

In its ruling, the DPC said Meta’s data transfers “fail to guarantee a level of protection” that is “essentially equivalent to that provided by E.U. law.”

In its responses to the suit, the Facebook parent company has argued that such data transfers are necessary for the company to provide its service — but the DPC did not find this justifiable under GDPR.

Meta said it would appeal the decision and that there would be no immediate disruption to Facebook’s service in the E.U.

In a blog post, Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, the chief legal officer, said the company was being unfairly targeted.

“This is not about one company’s privacy practices — there is a fundamental conflict of law between the U.S. government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer,” the two said.

The Meta spokespeople went on to call the €1.2 billion fine “unjustified and unnecessary” and reiterated the company’s position on the necessity of data transfers.

“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” the statement said.