Social media giant Meta has been fined a record 1.2 billion euro (£1 billion), and ordered to stop transferring data on European users of its services to its US-based servers.
This comes after a three-year-probe into the Facebook, Instagram, and WhatsApp owner by Ireland’s Data Protection Commission (DPC). The DPC said that Meta had breached the European GDPR (General Data Protection Regulation) rules in the way that it had moved data of Facebook users across borders.
The DPC has ordered Meta Ireland to suspend any future transfer of personal data to the US within the next five months, and also levied a record fine on the business “to sanction the infringement that was found to have occurred”.
In a response posted to the company’s website, Meta’s president of global affairs and chief legal officer Jennifer Newstead said they were "disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US," she wrote. “We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved.”
Ms Newstead added: “No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.” Reuters reports Meta plans to appeal the ruling.
Data privacy non-profit NOYB, which first brought the legal challenge, welcomed the DPC's decision. In a statement, founder Max Schrems said: "We are happy to see this decision after ten years of litigation."
Unless US surveillance laws were changed, Meta would have to fundamentally restructure its systems, he said. "The simplest fix would be reasonable limitations in US surveillance law. There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance."
This could be the time to "grant these basic protections to EU customers of US cloud providers," he said. "Any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law."