Meta has been handed a £1 billion fine for breaching European Union general data protection regulation (GDPR) rules.
The parent company of WhatsApp, Instagram and Facebook – whose European headquarters are in Dublin – has been punished by the Irish data protection regulator for Facebook’s long-standing practice of transferring EU user data to the United States for processing.
Despite the mind-boggling sum – which easily tops the then-record €746m fine handed to Amazon in 2021 – it only accounts for 1% of Facebook’s annual advertising revenues.
An EU court in 2020 found that the data transferred by Facebook was insufficiently protected from spying agencies in the US. It has been ordered to stop unlawful processing and storage of data in the US in the next six months.
The order, which Meta plans to delay through the courts, does not extend to Instagram and WhatsApp.
Austrian privacy campaigner Max Schrems and his NOYB organisation lodged the original complaint over Facebook’s use of data in 2013.
“We are happy to see this decision after 10 years of litigation,” said Schrems. “The fine could have been much higher, given that the maximum fine is more than €4b and Meta has knowingly broken the law to make a profit for 10 years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
Meta said it would appeal the “unjustified and unnecessary” decision and denied that there would be any disruption to its services. It said the fine sets a “dangerous precedent”.
Online Safety Bill ‘could turn phones into surveillance tools’
“Meta has prepared for the fine, but it is huge. It will have a duty to its shareholders to appeal it,” reflected Nigel Jones, co-founder of Privacy Compliance Hub.
“It was expecting a fine and an order for suspension of data transfers to the US, but the requirement to stop the storage of the personal data of EU individuals which it transferred unlawfully is a massive undertaking to carry out, financially, technically and logistically.
“It’s difficult to see how it can cease the transfers and bring its processing within the law in the time given. Its only commercially viable option appears to be to appeal to the courts in an attempt to further delay implementation of the decision.
“In the meantime it will hope that the EU and the US can agree a mechanism – known as the Data Privacy Framework – that will enable Meta and other companies to legally transfer the data of EU individuals to the US.
“However, that won’t help such companies with the vast amounts of EU data that they are currently storing unlawfully in the US as a result of this decision.”
Despite being an EU-US issue, the UK will be affected by the decision, says Jones. “Politically the UK is caught in the middle – the UK needs to show the EU it is a safe place for data, but it can’t do that if it is allowing the data of EU citizens to leave the UK for the US.
“On the other hand, politically it wants to show the US that it is an easy place to do business, but that is difficult if it follows the EU’s lead and blocks the flow of personal data to the US.
“It will be interesting to see what the UK regulator, the Information Commissioner’s Office (ICO), does about this decision.”