Ireland’s data protection authority finds Meta guilty of Facebook’s breach of the General Data Protection Regulation (GDPR). The tech giant has been fined 15 billion euros and must cease all data transfers from Facebook’s EU users to the US within six months.
The case dates back to 2013, when Austrian Max Schrems took Facebook to court following Edward Snowden’s revelations about mass surveillance by US authorities, including the sharing of data from the EU. In 2016, the transatlantic Privacy Shield agreement was established, regulating the exchange of personal data for commercial purposes between the US and the EU. However, in 2020, the EU revoked this agreement because it was considered to be in breach of other European privacy laws.
Since then, the EU and the US have been negotiating a new agreement but have not yet reached an understanding. However, the US is not allowed to store personal data of EU citizens until a new agreement is in place, something the tech giant has not taken lightly, stressing that it may have to suspend its services within the EU. At the same time, it has still transferred some data from the EU to the US.
Now the Irish data protection authority DPC has found Meta guilty of Facebook’s violation of the GDPR, The Verge reports. The tech giant will have to pay a fine of SEK 15 billion, which is the highest fine to date for violations of the GDPR. The DPC argues that the current legal framework for data transfer to the US “did not address the risks to the fundamental rights and freedoms” of Facebook’s EU users and is therefore in breach of the GDPR.
Schrems thinks the fine could have been much higher, but is nevertheless satisfied with the decision:
– We are happy to see this decision after ten years of litigation, Schrems said in a press release. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years.
The reason why Meta wants to transfer personal data to the US is because of its targeted advertising activities.
The DPC has now ordered Meta to cease all data transfers from Facebook’s EU users within six months. However, this only applies to Facebook and not, for example, to Instagram and WhatsApp, which are also owned by Meta.
However, Meta’s global head of policy Nick Clegg and general counsel Jennifer Newstead say the fines are “unjustified and unnecessary” and that they will appeal the ruling.