The parent company of Facebook, Meta, was slapped with one of the largest fines ever by a Europe’s privacy regulator over its handling of user information. Imposed by Ireland’s Data Protection Commissioner, the tech giant was granted five months to stop transferring users’ data to the United States.
Reuters wrote that “the battle over where Meta’s Facebook stores its data began a decade ago after Austrian privacy campaigner Max Schrems brought a legal challenge over the risk of U.S. snooping in light of disclosures by former U.S. National Security Agency contractor Edward Snowden.
Meta said in a statement that it will appeal the ruling, including the ‘unjustified and unnecessary fine that “sets a dangerous precedent for countless other companies.’ It will also seek a stay of the suspension orders through the courts.”
Most large international companies—not just tech firms—rely on a relatively free flow of data from Europe to the United States, but the judgment may make companies think twice.
The ruling raises pressure on the U.S. government to complete a deal that would allow Meta and thousands of multinational companies to keep sending such information stateside. The size of the fine also underscores the increasing risks of running afoul of the European Union’s privacy rules as its enforcement tightens, according to The Wall Street Journal.
Tech companies have been especially vulnerable to regulatory scrutiny over European privacy concerns. That has only increased since European courts overturned in 2020 a previous, data-sharing deal between the U.S. and EU.
Meta’s top privacy regulator in the EU said in its decision Monday that Facebook has for years illegally stored data about European users on its servers in the U.S., where it contends the information could be accessed by American spy agencies without sufficient means for users to appeal.
The 1.2-billion-euro fine surpasses the previous record of €746 million, or $806 million, levied under the General Data Protection Regulation, against Amazon in Luxembourg in 2021 for privacy violations related to its advertising business. Amazon has appealed that decision in Luxembourg courts.
The Data Protection Commission began the inquiry into Meta’s data-sharing practices in August 2020. The body determined earlier this month that Meta ran afoul of Article 46(1) of the GDPR — which allows tech companies under certain conditions to transfer personal data from the E.U. “to a third country or an international organisation” only if they provide “appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available,” according to The Washington Post.
The commission ruled that Meta violated the article “when it continued to transfer personal data from the E.U./EEA to the USA” after the 2020 ruling by the Court of Justice of the European Union that invalidated the Privacy Shield agreement.