EU slaps Meta with $1.3 billion fine for moving data to US servers

The Irish Data Protection Commission (DPC) has announced a $1.3 billion fine on Facebook after claiming that the company violated Article 46(1) of the GDPR (General Data Protection Regulation).

More specifically, it was found that Facebook transferred data of EU-based users of the platform to the United States, where data protection regulations vary per state and have been deemed inadequate to protect the rights of EU data subjects.

Article 46(1) of the GDPR forbids transfers of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.

As a result of the infringement, the DPC imposed a record €1.2 billion fine ($1.3 billion) on Facebook's parent company, Meta Ireland, and requested that all data transfers that violate the GDPR be suspended within five months of the decision.

Additionally, Meta will be required to stop processing or holding any data illegally transferred from the EU to the U.S. within six months of DPA's announcement.

The timeline

Facebook had previously been transferring data between European countries and US under the GDPR's 2016 EU-US Privacy Shield, which allowed the storage of EU data with US companies on the Privacy Shield list.

The changes in international data transfers under GDPR were changed in the July 2020 "Schrems II" case, where CJEU judged that any transfers of personal data on the Privacy Shield Decision are illegal and stricter data control regulations need to be introduced.

In August 2020, the Irish DPC initiated an inquiry into Meta's data transfer activities. In July 2022, it published a draft decision highlighting that the tech giant was breaching Article 46(1) of the GDPR.

On April 13, 2023, the European Data Protection Board (EDPB) adopted a binding decision, instructing the DPA to impose a fine on Meta and to order it to comply with GDPR. 

Today, the Irish DPC imposes the $1.3 billion administrative fine reflecting EDPB's decision, punishing Meta with a penalty determined on EDPB's guidelines (20% to 100% of the maximum applicable), given the seriousness of the infringement.

Meta's response

Meta has responded to the decision via a blog post, saying that seamless cross-border data transfers are of crucial importance to business continuity, and finds that the administrative fine and restriction orders will have a severe impact on its services in Europe.

The company says all transatlantic data transfers are controlled by Standard Contractual Clauses (SCCs) used by all organizations, which the CJEU previously accepted as a valid alternative to ascertain "legal safeguards."

"Like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR)," comments the tech giant.

The company finds the fine unfair, unnecessary, and disproportionate, and plans to appeal the ruling and contest the severity of the fine and underlying orders.

"This is not about one company's privacy practices – there is a fundamental conflict of law between the US government's rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer," explained Meta.

Meta criticizes EDPB's decision to ignore DPC's acknowledgment that the company had previously acted in good faith and also highlights the bad timing of these procedures, considering that the forthcoming Data Privacy Framework (DPF) is soon to be implemented, resolving the current legal conflicts.