Meta Platforms Inc. which owns Facebook was slapped with a record €1.2 billion ($1.3 billion) European Union privacy fine and given a deadline to stop sending users’ data to the United States after regulators said that the company failed to protect the personal information of users from the prying eyes of American security services.
The social network giant’s continued transfer of data to the United States did not address “the risks to the fundamental rights and freedoms” of users whose data was being transferred across the Atlantic, the Irish Data Protection Commission noted in its decision announced on Monday.
In addition to the fine, which surpasses a €746 million EU privacy penalty that was previously handed out to Amazon.com Inc., Meta was given a period of five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of transferred personal EU data.
A ban on data transfers for Meta was expected widely and once prompted the US-headquartered firm to threaten a total withdrawal from the EU. But its impact has now been muted by the transition phase given in the decision and the prospect of a new EU-US data flows agreement that is likely to be operational by the middle of this year.
The decision on Monday is the latest round in a long-running saga that eventually saw Facebook and thousands of other companies plunged into a legal vacuum. In 2020, the top court of EU had annulled an EU-US pact that regulated the transatlantic flow of data over the fear that the data of citizens was not safe once it arrived on US servers.
Even as judges did not strike down an alternative tool based on contractual clauses, their doubts about the American data protection quickly led to a preliminary order from the Irish authority telling Facebook that it could no longer move data to the US via this other method either.
In December, EU regulators had unveiled a proposal to replace the previous “Privacy Shield” pact that had been torpedoed by the EU’s Court of Justice. This followed months of negotiations with the US, which yielded an executive order by President Joe Biden and US pledges to ensure that the data of EU citizens is safe once it is sent across the Atlantic.
The fine imposed on Meta coincides with the fifth anniversary of the EU’s General Data Protection Regulation, widely seen as the benchmark for privacy. Since May 2018, regulators in the 27-nation EU have had the power to weild fines of as much as four per cent of a company’s annual revenue for the most serious violations.
Overnight, the Irish watchdog turned into the lead privacy regulator for some of the biggest tech companies with an EU base in the country including the likes of Meta and Apple Inc.