Facebook owner Meta hit with record €1.2bn fine by Irish data watchdog

The penalty was imposed in relation to Facebook data transfers to the US, which European authorities have deemed to be unlawful.

Meta has also been instructed by Helen Dixon’s office to “suspend” Facebook personal data transfers from the EU to the US, and to stop storing the personal data of EU Facebook users in the US.

The company, which says it will appeal the ruling, has five months to comply with the Irish regulator’s verdict, meaning that Facebook users won’t immediately see their service disrupted between the US and EU.

The ruling applies to Facebook personal data, but not Instagram or WhatsApp, Facebook’s sister platforms under the Meta corporate brand.

The new fine means that the Irish regulator has now levied financial penalties of €2.5bn on Meta over the last two years. Under current arrangements, Ireland gets to keep the proceeds of those fines.

In a statement, the Irish regulator says that its initial decision, which would have seen a lower fine, was partly overruled by the European Data Protection Board (EDPB) on foot of objections from four of the 47 European data protection authorities.

The EDPB’s intervention resulted in a bigger fine than originally planned, according to the Irish regulator and European authorities. Previous reports suggested a fine of as little as €36m, far below today’s sanction.

In a response to the fine, Meta’s global affairs president Nick Clegg said that the company is “disappointed to have been singled out” for using the same legal mechanisms as other companies in Europe.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” he said.

Meta has almost 3,000 staff in Dublin with thousands of extra contractors also employed.

Meta’s appeal could delay implementation of the Irish regulator’s order beyond the five month period.

The company is expecting the EU and US to ratify a new treaty (called the ‘Data Privacy Framework’) that is likely to supersede the DPC’s decision under current law.

​This treaty was agreed, in draft form, between EU and US negotiators last year, with a view to implementation this year.

While there is still some opposition to it – a European Parliament committee urged its rejection until more explicit protection for fundamental privacy rights were clarified – most observers expect it to take effect in the coming months.

Max Schrems, the Austrian campaigner who initially brought the case against Facebook over data transfers, said that the fine vindicates his pursuit of the social media giant on the issue.

"We are happy to see this decision after ten years of litigation,” he said. “The fine could have been much higher, given that the maximum fine is more than €4 billion and Meta has broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems."

Mr Schrems took the original case against Facebook in protest at how his personal data was being abused by the tech giant.

The Irish Data Protection Commission said that its decision was spurred by a ruling from the European Court of Justice that classed commonly-used ‘Standard Contractual Clauses’ to be insufficient in protecting privacy rights.

“The decision records that Meta Ireland infringed Article 46 GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems,” the regulator said in a statement.

"While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”

However, it also admitted that there had been disagreement over what fine should be imposed.

“A small number (4) of the 47 CSAs raised objections in relation to the corrective power that the DPC proposed to exercise by way of the draft decision. Within this subset of CSAs, all four CSAs took the view that Meta Ireland should be subject to an administrative fine for the infringement that was found to have occurred. Two of those CSAs also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US, [meaning] the data transferred from July 2020 to the present.

“The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.

“Following an informal consultation process, it became clear that consensus could not be reached. Consistent with its obligations under the GDPR, the DPC referred the objections to the European Data Protection Board (“the EDPB”) for determination pursuant to the Article 65 dispute resolution mechanism.”

More to follow...