U.S tech giant Meta has been hit with a record €1.2 billion fine for not complying with the EU’s privacy rulebook.
The Irish Data Protection Commission announced on Monday that Meta violated the General Data Protection Regulation (GDPR) when it shuttled troves of personal data of European Facebook users to the United States without sufficiently protecting them from Washington’s data surveillance practices.
It’s the largest fine imposed under the bloc’s flagship General Data Protection Regulation (GDPR) privacy law and it comes on the eve of the fifth anniversary of the law’s enforcement on May 25.
Amazon was previously fined €746 million by Luxembourg and the Irish regulator also imposed four fines against Meta’s platforms Facebook, Instagram and WhatsApp ranging between €405 million and €225 million in the past two years.
The Irish privacy watchdog said that Meta’s use of a legal instrument known as standard contractual clauses (SCCs) to move data to the U.S. “did not address the risks to the fundamental rights and freedoms” of Facebook’s European users raised by a landmark ruling from the EU’s top court.
The European Court of Justice in 2020 struck down an EU-U.S. data flows agreement known as the Privacy Shield over fears of U.S. intelligence services’ surveillance practices. In the same judgment, the top EU court also tightened requirements to use SCCs, another legal tool widely used by companies to transfer personal data to the U.S.
Meta — as well as other international companies — kept relying on the legal instrument as European and U.S. officials struggled to put together a new data flows arrangement and the U.S. tech giant lacked other legal mechanisms to transfer its personal data.
The EU and U.S. are finalizing a new data flow deal that could come as early as July and as late as October. Meta has until October 12 to stop relying on SCCs for their transfers.
The U.S. tech giant previously warned that if it would be forced to stop using SCCs without a proper alternative data flow agreement in place, it could shut down services like Facebook and Instagram in Europe.
Meta also has until November 12 to delete or move back to the EU the personal data of European Facebook users transferred and stored in the U.S. since 2020 and until a new EU-U.S. deal is reached.
The Irish Data Protection Commission said it disagreed with the fine and measure that it was imposing on Meta but had been forced by the pan-European network of national regulators, the European Data Protection Board (EDPB), after Dublin’s initial decision was challenged by four of its peer regulators in Europe.