Ireland’s Data Protection Commission (DPC) has fined Meta €1.2 billion ($1.3 billion) for breaking Europe’s stringent data privacy laws. In its May 22 ruling, the DPC found that Meta had violated the General Data Protection Regulation (GDPR) by failing to protect European Facebook users’ personal data from American surveillance.
The penalty, the largest possible allowed by the GDPR—a landmark data privacy law passed by the European Union in 2018—is equivalent to 4% of Meta’s global revenue last year. In a prepared statement, Meta said it would appeal the ruling, calling the fine “unjustified and unnecessary.”
Meta has already been fined about €1.3 billion by the Irish DPC since 2021, for six different violations of the GDPR across Facebook, Instagram, and WhatsApp. However, the size of this penalty is unprecedented, totaling nearly as much as all of the others combined.
Which data laws did Meta break?
The latest ruling found that Meta had violated the terms of a court case between Facebook Ireland and the DPC in 2020, which effectively struck down the open transfer of personal data between the EU and the US over documented cases of surveillance by American intelligence services.
To mitigate that ruling and continue moving data back and forth between servers, Meta has been using standard contractual clauses (SCC), data protection guardrails pre-approved by European regulators.
However, the DPC found that Meta’s use of SCCs “did not address the risks to the fundamental rights and freedoms” of European Facebook users, cutting off Meta’s last avenue for data-sharing and raising the possibility that the company will be forced to cordon off the data of European Facebook users.
The case comes as American and European officials negotiate the details of an agreement that would regulate the transfer of personal data across the Atlantic. Announced last year, the deal was confirmed by the European Commission in December. If implemented, it could supersede the DPC’s ruling.
Quotable:
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.” —Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, the company’s chief legal officer, in statement released after the DPC ruling. Clegg was once deputy prime minister of the UK
A timeline of Meta’s fines from the Irish DPC
September 2, 2021: Regulators fine Meta €225 million ($266 million) for multiple privacy breaches of WhatsApp users’ personal data.
March 22, 2022: Regulators fine Meta €17 million ($19 million) for failing to implement technical and organizational measures to protect user data.
September 5, 2022: Regulators fine Meta €405 million ($402 million) for failing to protect children’s data on Instagram.
November 28, 2022: Regulators fine Meta €265 million ($275 million) for a data leak that revealed the personal information of more than 500 million Facebook users.
January 4, 2023: Regulators fine Meta €390 million ($414 million) for forcing users to accept targeted ads on Facebook and Instagram.
January 17, 2023: Regulators fine Meta €5.5 million ($5.95 million) for violating data protection laws in WhatsApp.
Related stories:
Zuckerberg says Facebook will never be a media company—despite controlling the world’s media
Meta’s “year of efficiency” means job cuts, less metaverse, and more generative AI
Zuckerberg’s plan to open Meta’s Horizon Worlds to minors is facing opposition