Meta has been fined a record-breaking €1.2 billion ($1.3 billion) by European Union regulators for violating EU privacy laws by transferring the personal data of Facebook users to servers in the United States.
The European Data Protection Board announced the fine in a statement Monday, saying it followed an inquiry into Facebook (FB) by the Irish Data Protection Commission, the chief regulator overseeing Meta’s operations in Europe.
The move highlights ongoing uncertainty about how global businesses may legally transfer EU users’ data to servers overseas.
The EU regulator said the processing and storage of personal data in the United States contravened Europe’s signature data privacy law, known as the General Data Protection Regulation. Chapter 5 of the GDPR sets out the conditions under which personal data can be transferred to third countries or international organizations.
The fine is the largest ever levied under GDPR. The previous record of €746 million ($805.7 million) was levied against Amazon (AMZN) in 2021.
Meta has also been ordered to cease the processing of personal data of European users in the United States within six months.
Meta’s infringement is “very serious since it concerns transfers that are systematic, repetitive and continuous,” said Andrea Jelinek, chair of the European Data Protection Board.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” she added.
Facebook still available in Europe
Meta, which also owns WhatsApp and Instagram, said it would appeal the ruling, including the fine. There would be no immediate disruption to Facebook in Europe, it added.
The company said the root of the issue stemmed from a “conflict of law” between US rules on access to data and the privacy rights of Europeans. EU and US policymakers were on a “clear path” to resolving this conflict under a new transatlantic Data Privacy Framework.
The new framework seeks to end the limbo facing companies since 2020, when Europe’s top court struck down a transatlantic legal framework designed to address EU concerns about potential US government surveillance of European citizens, known as Privacy Shield.
The United States and the EU have been negotiating a successor agreement since last year. The continued lack of a Privacy Shield replacement threatens thousands of businesses that depend on being able to move EU user data to other jurisdictions, according to legal experts.
The European Data Protection Board “chose to disregard the clear progress that policymakers are making to resolve this underlying issue,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, the company’s chief legal officer, said in a statement.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” they added.
“The ability for data to be transferred across borders is fundamental to how the global open internet works. Thousands of businesses and other organizations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day.”
Ireland and Big Tech
Before Monday’s ruling, Ireland’s Data Protection Commission had handed Meta nearly $1 billion in fines for alleged violations of GDPR since the fall of 2021. But in this instance it was not in favor of fining Meta, judging that doing so exceeded what could be regarded as “proportionate” to address the infringement.
In its own statement Monday, the regulator said it was obliged to base its final ruling on the decision of the European Data Protection Board.
Ireland has a narrow path to tread between retaining top US tech companies, and aligning with the European Union’s hard-hitting approach to tech regulation.
Dublin is home to the European headquarters of Apple (AAPL), Meta, Twitter and Google (GOOG), which have created thousands of jobs in the country and boosted its economic growth.
Ireland’s low corporate tax rate of 12.5% has been a major factor in luring these firms. The country was among the last in the Organization for Economic Cooperation and Development to join a global agreement in 2021 to tax multinational firms at a minimum rate of 15%.
A year earlier, Apple won an appeal against a European Commission ruling that it owed Ireland €13 billion ($14.9 billion) in taxes, ruling that the EU executive had not proven that the company had received illegal state aid in the form of favorable tax agreements with Dublin. The Irish government sided with Apple in that dispute.
— Brian Fung contributed to this article.