Meta Platforms has been fined a record $1.3 billion for violating Europe’s data privacy law.
The fine, announced Monday (May 22) by the Irish Data Protection Commission (DPC), came after the regulator found that Meta violated Europe’s General Data Protection Regulation (GDPR) by failing to protect European Facebook users’ data from U.S. surveillance practices.
Like many tech companies — Microsoft, Uber and Amazon among them — Meta’s European headquarters are in Ireland, which makes that country the main privacy regulator for the firm.
According to multiple media accounts, the fine was the largest on record related to the GDPR, surpassing the $806 million levy against Amazon in Luxembourg in 2021.
“We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts,” Meta said on its blog Monday.
The company said there would also be “no immediate disruption” to Facebook in Europe, as the decision includes implementation periods that run until later this year.
In addition to the fine, Meta has until October to “suspend any future transfer of personal data to the U.S.” and six months to cease “the unlawful processing, including storage, in the U.S.” of EU users’ personal data.
The fine stems from a 2020 ruling by the European Court of Justice that quashed an agreement between the U.S. and EU known as the Privacy Shield.
The European Court of Justice in 2020 struck down an EU-U.S. data flows agreement known as the Privacy Shield over fears of U.S. intelligence services’ surveillance practices.
As reported here last year, the European court ruled that America’s safeguards for Europeans’ data weren’t strong enough. That left Meta relying on a legal tool known as the Standard Contractual Clauses (SCC) to keep data flowing.
However, the data protection commission said last year — and reaffirmed in Monday’s announcement — that SCCs are not sufficient to comply with the EU court ruling. In other words, the company cannot use this mechanism to move data to the U.S.
Meanwhile, the EU and U.S. are at work on a new data flow arrangement that could be signed before the end of the year.
Meta was also fined by the DPC in January — this time for $422 million — after the commission concluded that Meta Ireland’s advertising business model is not compliant with the GDPR.