EU Slaps Meta With Record €1.2 Billion Fine Over Sending User Data To US

Meta has been handed a fine worth €1.2 billion (nearly 1.3 billion USD) in Europe over improper handling of user data and violating data transfer rules. This is the largest fine ever imposed on a company ever since General Data Protection Regulation (GDPR) privacy law came into effect five years ago. In its official press release, the European Data Protection Board says Meta transferred a huge amount of data belonging to European users and shifted it to storage servers located in the US by leveraging standard contractual clauses (SCCs) since 2020.

To recall, the European Court of Justice nullified the data agreement between the US and the European Union, once known as the Privacy Shield, over concerns regarding surveillance and other intelligence-related activities. In the same order that was issued in 2020, the court also tightened the restrictions around SCC, a legal framework that was widely used by companies for cross-continent data transfer to the US.

The fine on Meta comes after an investigation by the Irish Data Protection Authority (IE DPA), which flagged "systematic, repetitive and continuous" infringement of the data transfer rules. Following the fine on Meta, the authorities in the EU bloc and the US are now actively brainstorming over a new data transfer framework that will be implemented this year. While the fine is a big deal in itself, what is really going to hurt Meta is the immediate order and an amended data transfer framework.

Flawed and dangerous, says Meta

The EDPB has ordered Meta to stop processing and transferring data of EU citizens within six months. In December 2022, the European Commission announced the beginning of discussions over a new data transfer framework between the US and EU that will pave the way for "safe trans-Atlantic data flows." The framework includes clauses like deleting personal data when longer needed for the task it was collected for, limited access to intelligence agencies, and independent redressal mechanism for users.

Meta, on the other hand, hasn't been a fan of the shrinking scope of SCC in the past and has even threatened that it would be forced to shut down the operation of services such as Instagram in the EU. In its annual report for 2022, Meta said that "if a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs," it will have no alternative than winding down Instagram and Facebook in the region.

Meta has until November to comply with erasing or bringing back all the data it has collected since 2020. Meta's president of global affairs, Nick Clegg, says the decision is "flawed, unjustified and sets a dangerous precedent" for all companies with operations that rely on data transfers between the EU and the US. The company is going to appeal the billion-dollar fine and will also ask the court to stay the deadline for erasing or moving back the data to the EU soil.