The substantial fine was imposed by the Data Protection Commission of Ireland, the primary regulatory body overseeing Facebook throughout the EU. The decision was prompted by Facebook's data transfer practices to the U.S., which were determined to fail in addressing threats to the "fundamental rights and freedoms" of EU users, in violation of the General Data Protection Regulation (GDPR).
This record-setting penalty is the heftiest ever under the EU's stringent GDPR privacy laws. Previously, the highest fine had been a €746 million charge slapped on Amazon in 2021 for similar breaches of privacy norms.
Besides the financial penalty, Meta was allotted a five-month timeframe to halt all future personal data transfers to the U.S. Additionally, it was granted a six-month period to stop any "unlawful processing, including storage, in the U.S." of any transmitted personal data. Notably, this order does not extend to Instagram and WhatsApp, also under the Meta umbrella.
Previously, a legal framework known as the "Privacy Shield" agreement permitted the transfer of personal data between the U.S. and the EU. However, this pact was nullified by the EU's highest court in 2020. The Irish regulator argues that Meta's continued transfer of personal data to the U.S. post-2020 contravenes EU GDPR regulations, given the court's ruling.
This contentious issue has spanned a decade, triggered by a lawsuit lodged by Austrian privacy advocate Max Schrems against Facebook in 2013. The suit stemmed from concerns, sparked by Edward Snowden's revelations, about insufficient protection for EU user data from U.S. intelligence agencies when transmitted across the Atlantic.
"This verdict is flawed, unwarranted, and creates a perilous precedent for the innumerable other companies moving data between the EU and the U.S.," commented Nick Clegg, Facebook's Global Affairs President, reacting to the judgment in a blog post. "We will challenge this ruling, including the unwarranted and superfluous fine, and petition the courts to defer the orders."