Facebook owner Meta has been fined €1.2 billion and was ordered to stop transferring user data from European users to its US servers.
The record fine was levied by the Data Protection Commission (DPC) after a three-year probe into the social media giant.
The DPC said that Meta had breached part of the European GDPR (General Data Protection Regulation) rules in the way that it had moved data of Facebook users across borders.
It ordered Meta Ireland to “suspend any future transfer of personal data to the US within the period of five months” and also levied a record fine on the business “to sanction the infringement that was found to have occurred”.
Meta’s president of global affairs and chief legal officer Jennifer Newstead called the decision “flawed” and “unjustified” in a response posted to the company’s website.
“We are … disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” she wrote.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.
“We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved.”
They added: “No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.”
The fine has been described as a “real landmark moment”, marking the largest sum ever imposed by a European regulator.
Addleshaw Goddard’s head of data protection David Hackett said even in the context of Meta’s hug revenues, the fine is a significant amount.
World’s first law on health labelling of alcohol i…
“However, the corrective actions imposed on Meta are arguably even more significant than the fine,” he added.
“The regulator has given Meta five months to suspend EU-US data flows and six months to bring its data processing operations into compliance with GDPR.
“From a compliance perspective these actions may prove a bigger headache for Meta than the fines.”