The Irish Data Protection Commission ordered Meta to suspend all transfers of personal data belonging to users in the E.U. and the European Economic Area — which includes non-E. U. countries Iceland, Liechtenstein and Norway — to the United States.
The Irish Data Protection Commission said in a statement that Meta’s data transfers were in breach of the E.U.’s General Data Protection Regulation (GDPR), rules that restrict what companies can do with people’s personal data. It is the largest GDPR fine handed down by the bloc, surpassing the previous record of $887 million against Amazon, a penalty issued in 2021 by a European privacy regulator that the firm said it would appeal.
The ruling attracted widespread criticism from industry representatives, who said it creates legal uncertainty for many companies who commonly transfer data across international waters.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the E.U. and U.S.,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement about the fine.
They said there would be “no immediate disruption to Facebook in Europe.”
The move from the Irish Data Protection Commission is the latest development in a long-standing political and legal struggle to reconcile American laws on consumer data with European laws, which are more protective of online privacy and security
In 2020, the Court of Justice of the European Union ruled that a commonly used data protection agreement known as Privacy Shield did not adequately uphold E.U. privacy law, which forced many companies to reconsider how they store and collect the data of European customers. But companies thought they could continue transferring data across borders legally through an alternative legal mechanism called Standard Contractual Clauses.
In March 2022, President Biden issued an executive order deploying a preliminary deal struck between Biden and European Union leaders that created added checks on the collection of Europeans’ personal information by U.S. intelligence agencies and allowing them to seek redress if their data is unlawfully intercepted. The deal, which still needs final approval in the E.U., could be finalized by this summer, according to Clegg.
Peter Swire, a Georgia Institute of Technology professor who studies privacy and cybersecurity, said the United States still has to implement a few changes under the privacy framework before the E.U. can officially approve the deal. In the meantime, the Irish Data Protection Commission’s fine against Meta could have wide-ranging implications for the business sector, he said.
“Many other companies rely on the same standard contractual clauses that Facebook relied on,” said Swire, who served in both the Obama and Clinton administrations. “Today’s decision calls into question whether other companies have sufficient safeguards in place when they use these contracts.”
E.U. regulator hits Amazon with record $887 million fine for data protection violations
Industry groups and companies have been urging officials to approve the framework to create legal clarity for companies who transfer data across borders — a practice they say is critical for their business operations.
“The decision that was announced today is that it is crucial that that data privacy framework come into force because it’ll give certainty to companies [and] to individuals,” Aaron Cooper, vice president of global policy at the Business Software Alliance, said in an interview.
“What often gets lost in the conversation is that data transfers are used in every sector of the economy on both sides of the Atlantic. And it has become a cornerstone of the way companies expand job opportunities.”
Sean Heather, senior vice president for international regulatory affairs and antitrust at the U.S. Chamber of Commerce, also said the new privacy framework between the U.S. and the E.U should resolve the legal uncertainty created by Ireland’s Data Protection Commission fine against Meta.
“This issue goes far beyond Meta,” he said in a statement. “The time has come for the United States and the European Union to operationalize this agreement quickly, returning certainty to data flows that underpin transatlantic economic ties, society, and our international cooperation.”
Meta has faced regulatory scrutiny over its privacy practices for more than a decade, including from the Federal Trade Commission in the United States. Monday’s fine is far smaller than the $5 billion settlement that the company reached with the FTC in 2019 over its alleged mishandling of user data, ending an investigation that began in the wake of the Cambridge Analytica scandal.
That record-breaking fine marked a historic censure of a major tech company, but it was largely shrugged off by investors. The company’s critics in Congress said the penalty did not go far enough, calling it a “Christmas present” and a “mosquito bite” for the tech behemoth. Yet the FTC settlement is a harbinger of how government penalties can inflict more than financial pain on a company.
Under its agreement with the FTC, Meta had to launch privacy reviews of every new product or change to its service, and document how those changes affect users. The company also had to submit to third-party privacy audits for 20 years and appoint compliance officers and create a new committee within its board of directors to oversee privacy decisions.
Under Monday’s ruling, Meta will have five months to put in place measures to halt all future transfers of personal data to the United States and six months to stop “the unlawful processing, including storage, in the U.S. of personal data of E.U./EEA users transferred in violation of the GDPR.”
The Data Protection Commission began this inquiry into Meta’s data-sharing practices in August 2020. The body determined earlier this month that Meta ran afoul of Article 46(1) of the GDPR — which allows tech companies under certain conditions to transfer personal data from the E.U. “to a third country or an international organisation” only if they provide “appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
The commission ruled that Meta violated the article “when it continued to transfer personal data from the E.U./EEA to the USA” after a 2020 ruling by the Court of Justice of the European Union invalidated an agreement between E.U. and U.S. regulators called “Privacy Shield.”