Facebook owner Meta has been fined a record 1.2 billion euros ($1.3 billion) for transferring EU user data to the United States in breach of a previous court ruling, Ireland’s regulator announced on Monday.
The Irish Data Protection Commission (DPC), which acts on behalf of the European Union, said the European Data Protection Board (EDPB) had ordered it to collect “an administrative fine in the amount of 1.2 billion euros”.
The DPC has been investigating Meta Ireland’s transfer of personal data from the EU to the United States since 2020.
In January, the DPC fined Meta 390 million euros for breaking data rules in its use of targeted advertising on its apps.
In March, Meta was made to pay 5.5 million euros for breaching the GDPR with its WhatsApp messaging service.
In 2021, online trader Amazon was fined 746 million euros in Luxembourg for infringing the EU’s General Data Protection Regulation (GDPR).
In the latest case, the DPC had initially wanted to force Meta to suspend the offending data transfers, saying that a fine “would exceed the extent of powers that could be described as being ‘appropriate, proportionate and necessary'”.
But its peer regulators in the EU, known as Concerned Supervisory Authorities (CSAs), disagreed and said it should be “subject to an administrative fine”, the DPC said.
With no hope of consensus, the Irish body referred the objections to the EDPB, which ruled that Meta Ireland must suspend future transfer of personal data to the United States and pay a fine.
Clegg and Newstead said the EDPB decision to overrule the DPC “raises serious questions”.
“No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China,” they added.
But EDPB chair Andrea Jelinek characterised Meta’s infringement as “very serious” and called its data transfers “systematic, repetitive and continuous”.
“The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences,” she added.
Max Schrems, who set off a decade of legal battles with his challenge against Meta over the movement of EU data to the United States, welcomed the decision.
But the privacy activist said far harsher sanctions could have been used as Meta had “knowingly broken the law to make a profit”, he said.
“It took us 10 years of litigation against the Irish DPC to get to this result… and risked millions of procedural costs,” Schrems said.
“The Irish regulator has done everything to avoid this decision,” he added.