Meta fined record US$1.3 billion by EU privacy regulator, ordered to stop transferring user data to U.S.


    22nd May 2023 – (Dublin) Meta, formerly known as Facebook, has been hit with a record 1.2 billion euro (US$1.3 billion) fine by the Data Protection Commissioner (DPC) in Ireland, its lead privacy regulator in the European Union, for its handling of user information. The fine concerns Meta’s continued transferring of personal data and tops the previous EU privacy fine record of 746 million euros imposed on Amazon by Luxembourg in 2021.

    The DPC has given Meta five months to stop transferring users’ data to the United States. Meta has said it will appeal the ruling, including the “unjustified and unnecessary fine”, and seek a stay of the orders through the courts.

    The long-running battle over where Facebook stores its data began a decade ago after Austrian privacy campaigner Max Schrems brought a legal challenge over the risk of US snooping in light of disclosures by former US National Security Agency contractor Edward Snowden.

    Meta had previously warned that a stoppage of data transfers could force it to suspend Facebook services in Europe. However, the company said last month that it expected a new data protection framework, agreed by the European Union and the US government in March 2022, to be fully implemented before it has to suspend transfers. Officials have said the framework may be ready by July, but Meta cautioned that there is a chance it might not be ready in time.

    The EU’s General Data Protection Regulation (GDPR) requires companies to obtain explicit consent from users before processing their personal data and prohibits the transfer of EU citizens’ data to countries without adequate privacy protections. The EU has concerns about the US government’s surveillance practices, which it believes infringe on EU citizens’ privacy rights.

    The DPC’s decision is likely to have significant implications for other companies that transfer data from the EU to the US, as it sets a precedent for the level of fines that may be imposed for non-compliance with GDPR.