Meta hit with record fine for transferring data of EU users to US
The European regulator penalized the American social media giant for breaching European privacy laws.
American social media giant Meta was hit with a record fine by the EU for violating the "fundamental rights" of European users and transferring their data to the United States, Irish Data Protection Commission DPC said on Monday.
This is not the first time that the company was penalized by the European Union for exploiting personal data. In the last six months, Meta - headquartered in Dublin - was fined four times over data violations by Facebook, Instagram, and Whatsapp.
In January, the commission fined the firm 390 million euros for breaching data laws by using targeted advertising on its apps in Europe. In March, Meta was hit with a 5.5 million euros penalty for breaching General Data Protection Regulation GDPR in its WhatsApp services.
Read more: Meta allows targeted hate speech, violence, but only against US rivals
The commission, which represents the EU, stated that the European Data Protection Board EDPB was instructed to collect "an administrative fine in the amount of 1.2 billion euros."
The investigation into Meta for breaching the data protection bill was launched in 2020.
The probe found that the US company has failed to "address the risks to the fundamental rights and freedoms of data subjects" that was addressed in an earlier ruling by the Court of Justice of the European Union CJEU.
Responding to the DPC ruling, Meta said it was "disappointed to have been singled out" and the decision was "flawed, unjustified and sets a dangerous precedent for the countless other companies".
"We intend to appeal both the decision's substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines," said Facebook's president of global affairs Nick Clegg, and chief legal officer Jennifer Newstead.
"There is no immediate disruption to Facebook in Europe," they added.
The company hoped that the United States and the European Union could implement a legal agreement in principle reached in 2022 that regulates the use and transfer of personal data.
Read more: 48 Australian politicians demand US to abandon Assange extradition
Halt and pay
Initially, attempting to force the company from proceeding with its violations, the DPC warned Meta that continuing data transfers would subject it to a fine that "would exceed the extent of powers that could be described as being 'appropriate, proportionate and necessary'".
However, EU's Concerned Supervisory Authorities CSAs opposed the idea, saying that the penalty it should be "subject to an administrative fine", the DPC added.
But its peer regulators in the EU, known as Concerned Supervisory Authorities (CSAs), disagreed and said it should be "subject to an administrative fine", the DPC said.
Eventually, after the DPC and CSAs failed to agree on the matter, the Irish regulator transferred the issue to the EDPB, which ruled that the Meta must pay a fine and halt transfer of personal data to the US.
Clegg and Newstead said the EDPB's decision to override the DPC's decision "raises serious questions".
"No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China," they added.
The head of EDPB Andrea Jelinek said that Meta's violations are "very serious" and called its data transfers "systematic, repetitive, and continuous".
"The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences," she added.
Austrian privacy activist Max Schrems, who has been fighting Meta's privacy violations in the EU for almost a decade, welcomed the ruling.
"Ever since Edward Snowden's revelations on US big tech aiding the (National Security Agency) mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland," Schrems's organisation, the European Centre for Digital Rights, said.
But he considered that the penalty was not equivalent of the crime committed by Meta, saying that the company "knowingly broken the law to make a profit".
"It took us 10 years of litigation against the Irish DPC to get to this result... and risked millions of procedural costs," he added.
"The Irish regulator has done everything to avoid this decision."