Meta hit with record 1.2-billion-euro fine over EU data rules
May 23, 2023 11:32 PM
Facebook owner Meta has been fined a record 1.2 billion euros ($1.3 billion) for transferring EU user data to the United States in breach of a previous court ruling, Ireland's regulator announced on Monday.
The Irish Data Protection Commission (DPC), which acts on behalf of the European Union, said the European Data Protection Board (EDPB) had ordered it to collect "an administrative fine in the amount of 1.2 billion euros".
The DPC has been investigating Meta Ireland's transfer of personal data from the EU to the United States since 2020.
It found that Meta, which has its European headquarters in Dublin, failed to "address the risks to the fundamental rights and freedoms of data subjects" that were identified in a previous ruling by the Court of Justice of the European Union (CJEU).
The CJEU interprets EU law to make sure it is applied in the same way in all member states.
In response, Meta said it was "disappointed to have been singled out" and the ruling was "flawed, unjustified and sets a dangerous precedent for the countless other companies".
"We intend to appeal both the decision's substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines," Meta president of global affairs Nick Clegg and chief legal officer Jennifer Newstead said in a blog post.
"There is no immediate disruption to Facebook in Europe," they added.
Meta said it hopes to see the US and EU adopt a new legal framework for the use of personal data in the coming months, following an agreement in principle last year, which could allow it to continue its data transfer practices.
- Fourth fine -
EU regulators have hit Meta with four fines in six months -- and three this year -- over data breaches by its Instagram, WhatsApp and Facebook services.
In January, the DPC fined the social media giant 390 million euros for breaking data rules in its use of targeted advertising on its apps.
In March, Meta was made to pay 5.5 million euros for breaching the GDPR with its WhatsApp messaging service.
Online trader Amazon was fined 746 million euros in Luxembourg in 2021 for infringing the EU's General Data Protection Regulation (GDPR).
In the latest case, the DPC had initially wanted to force Meta to suspend the offending data transfers, saying that a fine "would exceed the extent of powers that could be described as being 'appropriate, proportionate and necessary'".
But its peer regulators in the EU, known as Concerned Supervisory Authorities (CSAs), disagreed and said it should be "subject to an administrative fine", the DPC said.
With no hope of consensus, the Irish body referred the objections to the EDPB, which ruled that Meta Ireland must suspend future transfer of personal data to the United States and pay a fine.
- 'Strong signal' -
Clegg and Newstead said the EDPB decision to overrule the DPC "raises serious questions".
"No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China," they added.
But EDPB chair Andrea Jelinek characterised Meta's infringement as "very serious" and called its data transfers "systematic, repetitive and continuous".
"The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences," she added.
Privacy activist Max Schrems, who set off a decade of legal battles with his challenge against Meta over the movement of EU data to the United States, welcomed the decision.
"Ever since Edward Snowden's revelations on US big tech aiding the (National Security Agency) mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland," said his organisation, the European Centre for Digital Rights.
But Schrems said far harsher sanctions could have been used as Meta had "knowingly broken the law to make a profit".
"It took us 10 years of litigation against the Irish DPC to get to this result... and risked millions of procedural costs," he added.
"The Irish regulator has done everything to avoid this decision," he added.
Biggest fines under EU privacy law
The European Union rolled out its mammoth data privacy regulation five years ago this week, and has since handed down billions in fines.
Ireland's data watchdog smashed the record for an individual fine on Monday when it demanded 1.2 billion euros ($1.3 billion) from Meta over its transfers of personal data between Europe and the United States.
Here are some of the worst offenders of the General Data Protection Regulation (GDPR):
- Meta: undisputed fine king -
Mark Zuckerberg's social media firm -- owner of Facebook, Instagram and WhatsApp -- has racked up roughly two billion euros in fines.
Breaches by Meta have included a mega-leak of some 533 million phone numbers and emails, mishandling children's data and repeatedly failing to give a legal basis for its data collection.
Meta, along with the likes of Google, Twitter and LinkedIn has its European headquarters in Ireland, a low-tax regime that has courted big tech.
The Irish privacy watchdog has been reluctant to hand down big fines but said in a statement on Monday that the EU's central authorities had ordered it to collect 1.2 billion euros from Meta.
Austrian campaign group NOYB said it had spent millions in a decade-long legal battle to force the Irish watchdog to tackle the case.
"It is kind of absurd that the record fine will go to Ireland -- the EU Member State that did everything to ensure that this fine is not issued," said NOYB's Max Schrems.
- US giants: In Meta's shadow -
Luxembourg lit a torch under the Silicon Valley data industry in 2021 by slapping Amazon with a record fine of 746 million euros.
The country, whose low-tax policies have led campaigners to label it a tax haven, confirmed the fine after only Amazon revealed it in its regulatory filings.
The Luxembourg watchdog told AFP on Monday that Amazon had not yet paid the fine because they had filed an appeal that was still being considered.
The watchdog added that it was legally barred from publishing its decision in full until the case was resolved.
The online retail giant had been accused by a European consumer group claiming personal data was collected for ad-targeting without permission.
Google has faced plenty of GDPR pain too.
France's data watchdog hit the search giant with 50 million euros in fines for a lack of transparency on its Android mobile operating system in 2019 -- the biggest such fine of that year.
- Clearview AI: Widespread penalties -
Clearview AI may not be a household name, but it claims to own billions of photos of people's faces that it sells as a searchable AI-powered database to law enforcement and other clients.
It scrapes the images from the web, often from social media accounts, without asking permission.
Privacy watchdogs in Greece, Italy, France and the UK have all hit the US firm with fines totally roughly 70 million euros, and regulators in Germany and Austria have declared it illegal.
The firm has consistently said it has no offices or clients in Europe and is not subject to EU privacy laws.
The status of the fines is unclear. France issued a penalty of five million euros recently, accusing the firm of failing to pay the initial fine.
- Public bodies, hacks -
In the early days of the GDPR, several watchdogs cracked down on public institutions, raising profound questions about the regulation's scope.
Bulgaria fined its own tax authority around three million euros in 2019 after hackers stole the details of millions of people.
But several issues in the case were referred to the European Court of Justice, including whether such a hack automatically meant the data controller had not complied with GDPR.
The court has not yet issued a final decision.
Portugal handed down one of the first significant fines under GDPR -- 400,000 euros -- in November 2018 to a hospital near Lisbon.
The watchdog ruled that the institution had allowed unauthorised access to patients' data and the case was seen as an early wake-up call for public bodies to get busy with GDPR compliance.
Portugal later gave public institutions three years to adapt to the new regime, meaning the fine was never enforced.