GDPR record fine against Facebook: Meta is to pay a fine of 1.2 billion euros

For ten years, the dispute over Facebook’s transfer of user data to the US, where it is not adequately protected, has been raging. Now follows a record fine.

The Irish data protection regulator has imposed a record GDPR fine of €1.2 billion on Meta and obliged the Facebook parent company to keep all personal data in data centers in the European Union again. This was announced on Monday by the Irish data protection supervisory authority DPC (Data Protection Commission), which is responsible for Meta in the EU. It sets Meta a deadline of five months to stop the data transfer and six months to retrieve it.

The decision, against which Meta wants to take legal action, is the latest part of a dispute over data protection that has been dragging on for years. It started ten years ago with the revelations of NSA whistleblower Edward Snowden. The decision now only applies to Facebook, but not to other meta-services such as Instagram or Whatsapp.

10 years of litigation

10 years ago, Snowden publicized extensive mass surveillance programs in the USA, which brought the US surveillance law FISA into focus, among other things. Section 702 of this Foreign Intelligence Surveillance Act allows US intelligence agencies to solicit emails and other communications from US companies’ customers without judicial approval. Data protection conditions only apply to US citizens and people residing in the USA. This contradicts EU data protection laws and has therefore long been a point of contention. While the EU had repeatedly demanded that US corporations protect European data from this kind of access, this had never been sufficiently implemented.

The Austrian data protection activist Max Schrems had already lodged a complaint with the Irish data protection supervisory authority in 2013, accusing Facebook of not protecting personal data from state surveillance in the USA. As a result, he repeatedly reached fundamental decisions against the legal basis for data transfer before the European Court of Justice, including the Safe Harbor Agreement, which was declared invalid. At the same time, the DPC had repeatedly refused stricter measures against Facebook, thereby arousing resentment across Europe. The record fine now goes back to the European Data Protection Board overruling Irish data protection regulators.

Six times in the top 10 GDPR penalties

Schrem’s data protection association Noyb is now “happy about this decision after ten years of legal disputes”. The fine could have been even higher because Meta knowingly violated the GDPR for ten years “to make a profit”. If the US surveillance laws are not changed, Meta “would now have to fundamentally restructure its systems”. Meta has pointed out to Der Spiegel that the penalty is based on a fundamental legal conflict between US government rules and European data protection laws. In the US Parliament, a renewal of Article 702 of the FISA is pending, so far the debates have not been about the data protection rights of non-US citizens.

The fine imposed is the highest ever imposed for GDPR violations. At the top, a fine of 746 million euros against Amazon will be replaced. This was imposed by Luxembourg’s data protection authority in 2021. In the list of the ten highest GDPR penalties, the Facebook parent company Meta now occupies six places in the top 10. In total, these penalties for the US group add up to 2.5 billion euros.