Meta has been hit with a record €1.2 billion ($2 billion) fine by its lead European Union privacy regulator over its handling of user information and given five months to stop transferring users’ data to the United States.
The fine, imposed by Ireland’s Data Protection Commissioner, came after Meta continued to transfer data beyond a 2020 EU court ruling that invalidated an EU-US data transfer pact.
It tops the previous record EU privacy fine of €746 million ($1.2 billion) handed by Luxembourg to Amazon in 2021.
The battle over where Meta’s Facebook stores its data began a decade ago after Austrian privacy campaigner Max Schrems brought a legal challenge over the risk of US snooping in light of disclosures by former US National Security Agency contractor Edward Snowden.
Meta said in a statement that it would appeal the ruling, including the “unjustified and unnecessary fine that “sets a dangerous precedent for countless other companies”.
It will also seek a stay of the suspension orders through the courts.
The social media giant reiterated that it expected a pact facilitating the safe transfer of EU citizens’ personal data to the US would be fully implemented before it had to suspend transfers.
That would mean its previous warning that a stoppage could force it to suspend Facebook services in Europe would not eventuate.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos,” Meta said.
The DPC said in March that EU and US officials hoped that the data protection framework – agreed by Brussels and Washington in March 2022 – might be ready by July.
Europe’s top court, the European Court of Justice, threw out the two previous pacts over concerns about US surveillance.
Mr Schrems, the Austrian privacy campaigner, said Meta’s plans to rely on the deal for transfers going forward were unlikely to be a permanent fix.
“In my view, the new deal has maybe a 10 per cent chance of not being killed by the CJEU (EU Court of Justice),” he said in a statement.
“Unless US surveillance laws get fixed, Meta will likely have to keep EU data in the EU.”
The Irish watchdog, the lead EU regulator for many of the world’s top technology companies because of the location of its European headquarters in Ireland, has said the suspension order could create a precedent for other firms.
It has now fined Meta a total of €2.5 billion ($4.1 billion) for breaches under the bloc’s General Data Protection Regulations, introduced in 2018.
The DPC said it did not initially propose adding a fine to the suspension order, but four other EU supervising authorities disagreed and the record fine was included after a ruling by the European Data Protection Board.
The Irish regulator has fined Meta more than any other tech firm and has 10 other inquiries open into the social media group’s platforms.