Meta faces record 1.2 billion euro fine for data transfer violations

On May 22, the Irish Data Protection Commission (DPC) decided to fine Meta, Facebook's parent company, a record 1.2 billion euros ($1.3 billion) for sending Facebook user data in the European Union (EU) to servers in the US.

The DPC, which said it was acting on behalf of the EU, said the European Data Protection Board (EDPB) had ordered the DPC to "levy an administrative fine of €1.2 billion" on Meta. In addition, the DPC gave Meta five months to stop transferring European user data to the US.

This is one of the heaviest fines in the past five years since the EU enacted the General Data Protection Law. Previously, in 2021, Luxembourg imposed a record fine of 746 million euros ($821.2 million) on Amazon.com for violating this law.

Meta's European headquarters are in Dublin, Ireland. The DPC has been investigating Meta for transferring Irish user data to the US since 2020. The DPC said its investigation found that Meta "failed to address fundamental rights risks" related to user data. The DPC stressed that Meta had failed to comply with a 2020 European Court of Justice ruling that data transferred across the Atlantic was not adequately secured and could be monitored by US spy agencies.

For its part, Meta representatives said they will appeal and Facebook's services in the EU will not be interrupted.

The US and the EU signed an agreement called the Privacy Shield, which allows Facebook and other companies to transfer data between the two regions. However, in 2020, Austrian privacy activist Max Schrems won a lawsuit to invalidate the US-EU agreement. The European Court of Justice determined that the risk of US data interception violated the fundamental rights of users in Europe.

EU and US officials are negotiating a data-sharing pact that would give Meta new legal protections to continue transferring user data between the US and Europe. A preliminary agreement was announced last year.