Unprecedented $1.3 Billion Fine Levied on Meta by EU for Non-Compliant Data Transfers

Unprecedented Fine by EU Regulators Rattles the Tech Sphere Facebook's parent company, Meta, has been imposed an unparalleled fine of $1.3 billion by the European Union's data protection authorities due to illegal transfer of European users' personal data to the United States.

The European Data Protection Board (EDPB) delivered an obligatory verdict, instructing the social media behemoth to align its data transfer practices with the General Data Protection Regulation (GDPR). Meta is also ordered to eliminate any unlawfully stored and processed data within six months.

Moreover, Meta has a five-month deadline to halt any upcoming transfers of Facebook users' data to the United States. Notably, this decree does not apply to Instagram and WhatsApp, also under Meta's ownership.

Andrea Jelinek, the Chair of EDPB, highlighted the severity of Meta's infringement due to its systematic, repetitive, and ongoing data transfers. She underscored the substantial number of Facebook users in Europe, the large-scale data transfers involved, and how this record-setting fine stands as a powerful warning for organizations infringing upon data protection regulations.

European data protection agencies have consistently pointed out the deficiency of privacy safeguards equivalent to the GDPR in the United States. This sparks worries that European data transferred to US-based servers may potentially be accessed by US intelligence services.

This ruling traces back to a legal complaint filed by Austrian privacy advocate Maximilian Schrems, founder of NOYB, in June 2013. Schrems raised alarms about inadequate protection of EU user data from US intelligence agencies during transatlantic transfers.

According to Schrems, the simplest solution would be to implement reasonable limitations on US surveillance laws, recognized on both sides of the Atlantic, including the need for probable cause and judicial authorization of surveillance. He warned that other significant US cloud providers like Amazon, Google, and Microsoft could face a similar fate under EU law.

Despite Meta planning to use a new data transfer agreement for future transfers, Schrems questioned its sustainability, citing a slim chance of the agreement passing the scrutiny of the Court of Justice of the European Union (CJEU). He stressed that unless US surveillance laws are substantially revised, Meta will likely have to host EU data within the EU.

Schrems also criticized the Irish Data Protection Commission (DPC) for allegedly delaying the case's progression and protecting Meta from fines and data deletion requirements. Both these actions were overturned by the EDPB.

Meta expressed its plan to contest the ruling, terming the fine as "unjustified and unnecessary." It claimed a fundamental legal conflict between US government data access rules and European privacy rights.

Meta's representatives, Nick Clegg and Jennifer Newstead, also raised concerns about the potential impact of limiting cross-border data transfers. They warned of a potential fragmentation of the internet into regional or national silos, which could hinder the global economy and restrict access to shared services across countries.

Meta had previously warned that if forced to suspend data transfers to the US, it might have to discontinue several key products and services in the EU. A new trans-Atlantic data transfer agreement, intended to replace the Privacy Shield, is expected to be concluded later this year, as reported by the Wall Street Journal.

This massive $1.3 billion fine represents the highest ever under the EU's GDPR, surpassing the previous record of €746 million ($886.6 million at the time) lev