The Irish Data Protection Authority (DPC), which acts as the EU-wide data protection regulator, has fined Meta $1.2 billion on the grounds that the transfer of Facebook users’ data from the region to the US exposes them to abuse. It has also ordered it to cease this flow of information within five months on the grounds that it “does not address the risks to the fundamental rights and freedoms” of EU citizens, and that it violates the General Data Protection Regulation (GDPR).
Ireland’s data protection authority penalises the tech giant for operating without a legal scheme to replace the privacy shield that was overturned by the European judiciary in 2020.
The ruling comes 10 years after Austrian lawyer Max Schrems, known for his scrutiny of the privacy policies of US tech giants, launched the case in the context of Edward Snowden’s revelations at the time about the US government’s mass surveillance programmes. Already in 2020 the European Court of Justice had struck down the so-called privacy shield, the legal mechanism by which the then Facebook sent data of its users from the area to the US. By continuing with the practice, DPC understands that the company has violated the provisions of the GDPR, which came into force in 2018.
Meta has announced that it will appeal the decision as “unjustified and unnecessary”, while it hopes that the US and the European Union will reach an agreement to formalise a new legal framework for the transfer of information before the deadline dictated by the DPC. In addition, the social web giant points out that there are “thousands” of companies that use similar frameworks to transmit European user data, which is why it is calling for the new countdown to be suspended. The eventual cessation of sending information would affect, in an uncertain way, around a quarter of its income, the approximate weight of the European Union in its accounts.
In any case, this situation would only affect Facebook, as the DPC has not entered into an assessment of the circumstances surrounding the Instagram and WhatsApp data. Meta has been stringing together sanctions over the last few years in the European Union, such as the most recent one of 390 million dollars for its advertising targeting or the 265 million for failing to protect the data of more than 500 million users. But to date, the largest penalty imposed on a US technology giant for failing to adequately manage the privacy of European users was $746 million for Amazon in 2021.
