European Union privacy regulators fined Meta a record 1.2 billion euros ($1.3 billion) over the transfer of EU user data to the U.S.
The EU ordered the platform to stop sending users’ personal information to the U.S. by October.
Meta, the parent company of Facebook, previously warned its services may be cut off for its European users.
The company vowed to appeal the decision and the fine.
Meta was hit with a record $1.3 billion fine by the European Union’s lead privacy regulator over its handling of user information and given Meta five months to stop transferring users' data to the US https://t.co/xkQIzhaOqG $META pic.twitter.com/VGf0L6b7lP
— Reuters (@Reuters) May 22, 2023
Meta was fined a record $1.3 billion and ordered to stop sending data about Facebook users in Europe to the U.S., in a major ruling against the company for violating EU data protection rules.https://t.co/XJDCtzY79D
— The New York Times (@nytimes) May 22, 2023
The decision links back to a case brought by Austrian privacy campaigner Max Schrems who argued that the framework for transferring EU citizen data to America did not protect Europeans from U.S. surveillance.
Several mechanisms to legally transfer personal data between the U.S. and the EU have been contested. The latest such iteration, Privacy Shield, was struck down by the European Court of Justice, the EU’s top court, in 2020.
The Irish Data Protection Commission that oversees Meta operations in the EU alleged that the company infringed the bloc’s General Data Protection Regulation when it continued to send the personal data of European citizens to the U.S despite the 2020 European court ruling.
GDPR is the EU’s landmark data protection regulation that governs firms active in the bloc. It came into effect in 2018.
Meta used a mechanism called standard contractual clauses to transfer personal data in and out of the EU. This was not blocked by any court of the EU. The Irish data watchdog said that the clauses were adopted by the European Commission, the EU’s executive arm, in conjunction with other measures implemented by Meta. However, the regulator said these arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified” by the European Court of Justice.
The company said “there is no immediate disruption to Facebook in Europe.” The decision applies to user data like names, email and IP addresses, messages, viewing history, geolocation data and other information that Meta — and other tech giants like Google — use for targeted online ads.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global affairs, and chief legal officer Jennifer Newstead said in a statement.
It’s yet another twist in a legal battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations of electronic surveillance by U.S. security agencies. That included the disclosure that Facebook gave the agencies access to the personal data of Europeans.