Facebook owner Meta Platforms Inc. was hit by a record €1.2 billion ($1.3 billion) European Union privacy fine and given a deadline to stop shipping users’ data to the US after regulators said it failed to protect personal information from the prying eyes of American security services.
The social network giant’s continued data transfers to the US didn’t address “the risks to the fundamental rights and freedoms” of people whose data was being transfered across the Atlantic, according to a decision by the Irish Data Protection Commission announced on Monday.
On top of the fine, which eclipses a €746 million EU privacy penalty previously doled out to Amazon.com Inc., Meta was given five months to “suspend any future transfer of personal data to the US” and six months to stop “the unlawful processing, including storage, in the US” of transferred personal EU data.
A data-transfers ban for Meta was widely expected and once prompted the US firm to threaten a total withdrawal from the EU. But its impact has now been muted by the transition phase given in the decision and the prospect of a new EU-US data flows agreement that could already be operational by the middle of this year.
Monday’s decision is the latest round in a long—running saga that eventually saw Facebook and thousands of other companies plunged into a legal vacuum. In 2020, the EU’s top court annulled an EU-US pact regulating transatlantic data flows over fears citizens’ data wasn’t safe once it arrived on US servers. While judges didn’t strike down an alternative tool based on contractual clauses, their doubts about American data protection quickly led to a preliminary order from the Irish authority telling Facebook it could no longer move data to the US via this other method either.
EU regulators in December unveiled proposals to replace the previous “Privacy Shield” pact that had been torpedoed by the EU’s Court of Justice. This followed months of negotiations with the US, which yielded an executive order by President Joe Biden and US pledges to ensure that EU citizens’ data is safe once it’s shipped across the Atlantic.
The Meta fine coincides with the fifth anniversary of the EU’s General Data Protection Regulation, widely seen as the world’s benchmark for privacy. Since May 2018, regulators in the 27-nation EU have had the power to wield fines of as much as 4% of a company’s annual revenue for the most serious violations. The Irish watchdog morphed overnight into the lead privacy regulator for some of the biggest tech firms with an EU base in the country, such as Meta and Apple Inc.