Data Violations: Irish Regulator Slaps Meta With $1.3 Billion Fine

Meta has been fined 1.2 billion euros ($1.3 billion) by an Irish regulator for violating data transfer rules—the largest fine imposed under European Union’s privacy laws. The fine was imposed by Ireland’s Data Protection Commission (DPC) after Facebook’s parent company was found to have violated the EU’s General Data Protection Regulation (GDPR) by continuing to transfer personal data from the EU/European Economic Area (EEA) to the United States, despite an EU court ruling from 2020 that invalidated a data transfer pact between the two regions. It’s the largest GDPR fine ever imposed, topping a 746 million euro fine imposed on Amazon.com in 2021 by Luxembourg. The European Data Protection Board found that Meta’s infringement “is very serious since it concerns transfers that are systematic, repetitive, and continuous,” board Chair Andrea Jelinek said in a May 22 statement. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.” Meta Ireland will now have to suspend any future transfer of personal data to the United States for five months from being notified of the DPC decision. The company will also have to cease the “unlawful processing, including storage” of EU/EEA personal user data in the United States within six months of notification. Meta Response In a May 22 statement, Meta called the fine “unjustified and unnecessary.” It intends to appeal the ruling and seek a stay on the orders through the courts. The company insisted that thousands of businesses and other entities rely on data transfers between the United States and the European Union to operate and provide services. “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.” In a statement, the DPC said Meta had violated “Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the [Court of Justice of the European Union’s] judgment in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems.” In that case, Austrian privacy campaigner Max Schrems pointed out the possible risk of U.S. authorities’ snooping into the personal data of EU citizens in the wake of disclosures made by former U.S. National Security Agency contractor Edward Snowden. Officials from the United States and European Union are preparing a new data protection framework that was agreed upon by the two sides in March 2022. The DPC had earlier said that the new framework may be ready by July. DPC and Meta Fines Since the introduction of GDPR rules in 2018, the Irish DPC has fined Meta a total of 2.5 billion euros for various violations, more than any other entity. The regulator also has 10 more open inquiries into the company. According to the DPC’s Annual Report for 2022 (pdf), it conducted 17 large-scale inquiries last year, of which five were related to Meta and its brands Facebook and Instagram. In total, the agency fined Meta more than 1 billion euros last year. One of the Meta cases on which the DPC issued a judgment last year was about the company’s allowing children between the ages of 13 and 17 to operate “business accounts” on Instagram. “At certain times, the operation of such accounts required and/or facilitated the publication (to the world-at-large) of the child user’s phone number and/or email address,” the report said. In some circumstances, Meta also set children’s accounts “public” by default, thereby making their social media content available to everyone. Meta was fined 405 million euros by the DPC in that case.