In a groundbreaking decision, Meta Platforms, the owner of Facebook, has been slapped with a record-breaking €1.2 billion (US$1.3 billion) privacy fine by the European Union (EU).
The EU’s regulatory body, the Irish Data Protection Commission, announced the penalty and issued a deadline for Meta to cease shipping users’ data to the United States. This stern action comes in response to the company’s failure to adequately safeguard personal information from the prying eyes of American security services.
The Irish Data Protection Commission emphasized that Meta’s ongoing data transfers to the US did not sufficiently address the risks posed to the fundamental rights and freedoms of individuals whose data was being transferred across the Atlantic.
Consequently, Meta has been given a five-month ultimatum to suspend any future transfer of personal data to the US, and a six-month deadline to halt the unlawful processing and storage of transferred personal data in the US.
While the ban on data transfers was widely expected and previously prompted Meta to consider withdrawing from the EU altogether, the impact of this decision has been mitigated by the transition phase outlined in the ruling. Additionally, there is hope for a new EU-US data flows agreement, which could be operational as early as the middle of this year.
Monday’s decision is the latest development in a protracted saga that has left Facebook and numerous other companies in a legal quandary. In 2020, the highest court of the EU annulled an EU-US pact that regulated transatlantic data flows due to concerns over the safety of citizens’ data once it reached US servers.
While the court did not invalidate an alternative tool based on contractual clauses, doubts about American data protection prompted the Irish authority to issue a preliminary order, prohibiting Facebook from transferring data to the US via this method as well.
In December, EU regulators unveiled proposals to replace the defunct “Privacy Shield” agreement, which had been invalidated by the EU’s Court of Justice. Months of negotiations with the US resulted in an executive order from President Joe Biden and assurances that EU citizens’ data would be safeguarded during transatlantic transfers.
The fine imposed on Meta Platforms coincides with the fifth anniversary of the EU’s General Data Protection Regulation (GDPR), which is considered the global standard for privacy protection. Since May 2018, EU regulators have had the authority to impose fines of up to 4% of a company’s annual revenue for severe violations.
The Irish Data Protection Commission has swiftly emerged as the leading privacy regulator for major tech firms with an EU presence, including Meta and Apple, following the transition triggered by the annulment of the EU-US data pact.
As the deadline looms for Meta Platforms to comply with the EU’s demands, all eyes will be on the company’s response and the potential impact on transatlantic data flows. This landmark decision serves as a stark reminder of the importance of safeguarding personal information and the ever-evolving landscape of data privacy regulation in the digital age.