Meta faces record EU privacy fine over US data transfers
Facebook owner Meta Platforms Inc. is set to be handed a record European Union privacy fine eclipsing a €746 million penalty doled out to Amazon.com Inc..
The current highest fine was levied by Luxembourg’s regulator in 2021 after Amazon was accused of mishandling personal data.
Ireland’s data protection commission will punish the social network giant for failing to heed a top court warning aimed at protecting users’ data from the prying eyes of US security services once it’s shipped to servers across the Atlantic, according to people familiar with the case, who spoke on condition of anonymity.
The regulator, which oversees the EU operations of most Silicon Valley firms, will also order the social network to stop all data transfers to the US that rely on supposedly unsafe contractual clauses questioned by the bloc’s top court, the people said.
It’s the latest round in a long—running saga that eventually saw the likes of Facebook and thousands of other companies plunged into a legal vacuum.
EU judges in 2020 annulled an EU decision regulating transatlantic data flows over fears citizens’ data wasn’t safe once shipped to the US. While they didn’t strike down an alternative contractual tool, their doubts about American data protection quickly led to a preliminary order from the Irish authority telling Facebook it could no longer move data to the US via this other method either.
A data-transfer ban has been widely expected and that once prompted Meta to threaten a total withdrawal from the EU. The Irish decision will only target Meta’s Facebook and won’t affect other Meta services, such as Instagram, or any of the other firms that have been transferring data the same way, the people said.
Menlo Park, California-based Meta declined to comment.
The Meta penalty is likely to come before the fifth anniversary of the EU’s General Data Protection Regulation, the people said.
The Irish decision will only target Meta’s Facebook and won’t affect other Meta services, such as Instagram, or any of the other firms that have been transferring data the same way, the people said.
The ban is expected to come with a transition period, and will most certainly be followed by an appeal from Meta in the Irish courts, by which time a new transatlantic data pact the EU has been negotiating with the US might have taken effect.
The Irish authority adopted the decision last week and will publish it in the coming days after Meta has had a chance to highlight potentially sensitive information, according to Graham Doyle, its deputy commissioner. He declined to comment further.
The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook in Ireland — where the social media company has its European base — arguing that EU citizens’ data is at risk the moment it gets transferred to the U.S.
©2023 Bloomberg L.P.