Meta hit with a €1.2 billion fine, ordered to suspend the EU-US data transfers

, ,

Written by Karolina Lubowicka

Published May 23, 2023

Meta hit with a €1.2 billion fine, ordered to suspend the EU-US data transfers

US tech giant Meta has been fined a record €1.2 billion for breaching the rules of GDPR.

According to the Irish Data Protection Commission (DPC), an authority behind the ruling, Meta violated EU law by sending the personal data of Facebook users to the US, potentially exposing it to US surveillance.

The penalty has overshadowed the $746 million handed to Amazon in 2021 and is the fifth fine concerning Meta’s social media platforms to date.

The parent company of Facebook now has five months to suspend transfers of personal data to the US and six to stop unlawfully processing data sent to the US after the invalidation of Privacy Shield in 2020.

How Meta violated GDPR

In July 2020, the Court of Justice of the European Union (CJEU) struck down the data deal between the EU and the US known as Privacy Shield. The verdict was a response to the complaint lodged by Max Schrems, a founder of NOYB, against 101 European companies that use Google Analytics and Facebook. Schrems argued that, due to major differences in privacy standards afforded by each jurisdiction, transfers of personal data from the EU to the US through this software should be illegal under GDPR. 

The CJEU has decided in favor of Schrems, effectively banning the use of these platforms. In the absence of the data deal, European regulators tried to establish new temporary safeguards in the form of standard contractual clauses (SCC) and binding corporate rules (BCR). However, the proposed solution imposed a huge liability on the EU companies and could be easily challenged by the European data protection authorities.

Despite the concerns, Meta continued to rely on the SCC to legitimize its processes. The infringement resulted in the most significant fine in the history of GDPR. 

The Irish DPA’s verdict has been based on the binding dispute resolution decision by the European Data Protection Board (EDPB). According to Andrea Jelinek, chair of EDPB:

“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”

The fine is far below the threshold that the DPC could impose. In fact, the binding decision by the EDPB effectively forced Ireland’s DPA to rule against Meta.

Piotr Korzeniowski

CEO at Piwik PRO

DPC itself was reluctant to undermine the company’s operations and business. The decision, especially the part related to the suspension of data transfers, was heavily influenced by French and German DPAs, who have voiced their concern that it “is the only way to ensure that the GDPR is fully enforced”.

The fine won’t hinder Meta’s ability to operate in Europe, but the hard stop for the EU-US data flow may erode its business.

Will the new data deal solve the issues with Meta?

The new EU-US data agreement is currently in the works. The deal might again legitimize data transfers performed by Facebook and other platforms. But according to data protection bodies and privacy activists, the American and European authorities still haven’t worked out a satisfying solution.

On February 28, the EDPB released its opinion on the draft decision based on US President Joe Biden’s Executive Order. While the Board welcomes some improvements to the new draft, it also expresses multiple concerns about the proposed deal, including important exemptions to the right of access and the absence of key definitions.

NOYB has also criticized the recent version of the act. According to Max Schrems, the text fails to ensure privacy safeguards beyond those included in the previously invalidated frameworks.

– As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights – argues Schrems.

How can European companies prepare for what comes next?

It’s difficult to predict the outcome of the cases against Meta. The company has six months to work out the problems with illegal data transfers, and maybe more, considering its plans to appeal the verdict.

But the recent fines, along with the planned strengthening of the GDPR enforcement by the EU Commission, signal one crucial trend.

User privacy can no longer be treated as an afterthought. Companies that want to stay relevant in the EU market must adjust their ways to the local privacy standards. And big techs such as Meta and Google that have built their business on user data might have an extremely hard time reworking their strategies, considering the EU-US data conundrum is not the only compliance issue they face.

Luckily, there are many different ways to do marketing and advertising without the likes of Facebook. If you’d like to know how to prepare for a more privacy-friendly future, be sure to read our guides: