Meta, Facebook’s parent company, faces a €1.2bn fine for data mishandling.
2 min readIreland’s privacy regulator imposes a record penalty for EU data protection breaches.
Meta, the parent company of Facebook, is confronting a historic €1.2bn (£1bn) fine and has been directed to cease the transfer of user data from the European Union to the United States. This substantial penalty, issued by the Irish Data Protection Commission (DPC), which oversees Meta in the EU, establishes a new record for breaching the General Data Protection Regulation (GDPR) within the bloc. The suspension of Facebook’s data transfers is not immediate; Meta has been granted a five-month window to implement this directive.
The DPC’s penalty is linked to a legal dispute initiated by Max Schrems, an Austrian privacy activist, rooted in concerns raised by Edward Snowden’s disclosures. These concerns cast doubt on the adequacy of protection for European users’ data against US intelligence agencies during transatlantic transfers. It is important to note that the ruling does not impact data transfers on Meta’s other major platforms, namely Instagram and WhatsApp.
As per the DPC, Meta violated the GDPR by persisting in the transfer of EU user data to the US, disregarding a previous ruling by the European Court of Justice that mandated robust protection for such information. The regulatory body asserted that Facebook’s use of standard contractual clauses for data transfers failed to sufficiently address the risks to individuals’ fundamental rights and freedoms, as emphasized in the court’s judgment.
In response, Meta argued that it was unfairly singled out by the DPC, citing the common use of the same data transfer mechanism by numerous other businesses.
The DPC’s deviation from other EU regulators on the penalty for Meta prompted the intervention of the European Data Protection Board, comprising data protection authorities from across the EU. Their involvement aimed to determine whether a fine should indeed be imposed.