Facebook hit with record €1.2 billion GDPR fine for transferring EU data to US

European and Irish regulators have ordered Facebook owner Meta to pay a fine of 1.2 billion euros for violating the General Data Protection Regulation (GDPR) with transfers of personal data to the United States. It's the largest GDPR fine ever. Meta was also ordered to stop storing European Union user data in the US within six months, but it may ultimately not have to take that step if the EU and US agree on a new regulatory framework for international data transfers. The infringement by Meta's subsidiary in Ireland "is very serious since it concerns transfers that are systematic, repetitive, and continuous," European Data Protection Board (EDPB) Chair Andrea Jelinek said in an announcement today. "Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences." The Ireland Data Protection Commission (DPC) decided not to fine Meta in July 2022, but the ruling was subject to binding dispute resolution after some regulators in other European countries objected. The EDPB then overruled Ireland's DPC and instructed it to amend the draft to impose a fine. The EDPB also said it instructed Ireland regulators to order Meta "to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of European users transferred in violation of the GDPR, within six months after notification" of the final decision. Meta and a tech-industry trade group criticized the ruling. The Computer & Communications Industry Association (CCIA), which represents Meta and other tech companies, said the order to suspend data transfers "effectively makes the way the Internet works illegal, from video conferencing and browsing the Internet, to the processing of online payments." While the Ireland DPC's draft decision in July 2022 didn't include a fine, it said that Facebook's data transfers should be suspended. The DPC's view was that "exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being 'appropriate, proportionate and necessary' to address the infringement of Article 46(1) GDPR," the Irish regulator said.

“Highest degree of negligence”

Meta was found to violate article 46(1) of the GDPR, which says companies may only transfer personal data to another country if there are "appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available." The EDPB's binding decision said that Meta "committed the infringement of Article 46(1) with at least the highest degree of negligence" and that the infringement affects "a wide range of categories of personal data." Meta's design of Facebook "prevents it from providing this service" in Europe without the international data transfers that were found to violate the GDPR, "which suggests that a considerable part of its profits derived from the provision of the service in the EU arise from the breach of the GDPR," the EDPB said. A fine is necessary because of "the gravity of the infringement, taking into account the particularly large scope of the processing and the very high number of data subjects affected, as well as the long duration of the infringement, which is still ongoing," the EDPB decision said. The Ireland DPC issued a final decision that incorporates the required changes. In a blog post, Meta executives said the company is "appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day."

Meta hopes EU/US pact will come soon

Meta also said that "there is a fundamental conflict of law between the US government's rules on access to data and European privacy rights." EU and US officials have been negotiating a deal on data transfers. Meta said that if the pending EU-US Data Privacy Framework "comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users." "This decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and US," Meta wrote.