EU fines Facebook $1.3 billion for privacy violations

The European Union fined Meta $1.3 billion on Monday saying Facebook’s parent company broke the bloc’s laws by transferring E.U. citizens’ user data to the United States. The Irish Data Protection Commission, which handed down the order, said the transfers violated the E.U.’s General Data Protection Regulation (GDPR). Meta’s European headquarters are in Dublin.

Dig deeper: ChatGPT under threat from European regulators

This is the largest GDPR fine ever handed down, surpassing the previous record of $887 million against Amazon in 2021. The ruling gives Meta five months to put in place measures to halt future transfers of personal data to the United States and six months to stop “the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR.”

Why we care. If the ruling is put in place Facebook would have to delete a huge amount of data and restructure its IT systems at a very fundamental level. It also would have enormous implications for any company transferring data between the two areas.

The best hope for staying the ruling is a new data transfer treaty between the U.S. and E.U.

Until 2020, these transfers were protected by the Privacy Shield treaty between the two governments. That year the E.U.’s highest court invalidated the treaty by ruling it did not sufficiently protect E.U. citizens’ data from American spy agencies. 

Negotiations have been underway since the high court’s ruling. Last year, President Biden and Ursula von der Leyen, the president of the European Union, announced the outlines of a deal, but the details are still being hammered out. No doubt Monday’s decision will increase the pressure on the U.S. to get it done. However, the complexity of the issues makes it difficult to move quickly.

Are you getting the most from your stack? Take our brief 2023 MarTech Replacement Survey

By the numbers. May 25 will be the fifth anniversary of GDPR, and Privacy Affairs has been tracking the fines – all 1,701 of them, for a grand total of over $4 billion:

• Meta accounts for over 50% of all GDPR fines – the company has amassed $2.5 billion in penalties.
• Meta has been fined seven times – including four just in 2022.
• By comparison, Amazon and Google have combined for more than $800 million in GDPR fines.

Only Facebook. The decision applies only to Facebook and not other Meta-owned platforms such as Instagram and WhatsApp.

The company said it plans to appeal.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement.