Meta Fined €1.2 Billion and Ordered to Halt E.U.–U.S. Data Flow

The European Data Protection Board:

Following the EDPB’s binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.

Meta’s Nick Clegg and Jennifer Newstead:

Today, the Irish Data Protection Commission (DPC) has set out its findings into Meta’s use of this common legal instrument to transfer Facebook user data between the EU and the US. Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board (EDPB). We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.

Natasha Lomas, TechCrunch:

As noted above, with today’s decision, the DPC [Irish Data Protection Commission] is actually implementing a binding decision taken by the EDPB [European Data Protection Board] last month in order to settle ongoing disagreement over Ireland’s draft decision — so much of the substance of what’s being ordered on Meta today comes, not from Dublin, but from the bloc’s supervisor body for privacy regulators.

This apparently includes the existence of a financial penalty at all — since the Board notes it instructed the DPC to amend its draft to include a penalty, […]

A report earier this month from the Irish Council for Civil Liberties found the DPC frequently negotiates decisions on a case-by-case basis, which leads to enforcement which is both unclear and not sufficiently dissuasive. Ireland is, of course, where many U.S. tech companies locate their international headquarters for tax avoidance purposes — as Dr. Johnny Ryan noted (PDF) in that report, those businesses include Airbnb, Apple, Google, Microsoft, Tinder, Twitter, and Yahoo, in addition to Meta.

As Lomas writes, European authorities have become increasingly worried about data transfers between the E.U. and the U.S., and has been treating the possibility of interception and espionage as a GDPR violation. Meta seems to be right in pleading scapegoat for a technique used by plenty of other businesses. However, few can claim the scope and scale of Meta’s violations, and especially its frequency. Companies owned by Meta represent seven of the ten greatest penalties issued under GDPR rules. Maybe Meta just sucks at privacy protections.