The European Data Protection Board announced the fine in a statement, saying it followed an inquiry into Facebook (FB) by the Irish Data Protection Commission, the chief regulator overseeing Meta’s operations in Europe.
The move highlights ongoing uncertainty about how global businesses may legally transfer EU users’ data to servers overseas.
The EU regulator said the processing and storage of personal data in the United States contravened Europe’s signature data privacy law, known as the General Data Protection Regulation. Chapter 5 of the GDPR sets out the conditions under which personal data can be transferred to third countries or international organisations.
The fine is one of the largest ever levied under GDPR. The previous record of EUR 746 million (USD 805.7 million) was levied against Amazon in 2021.
Meta has also been ordered to cease the processing of personal data of European users in the United States within six months.
EU officials said that Meta’s infringement is ‘very serious since it concerns transfers that are systematic, repetitive and continuous.’ Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.
Meta, which also owns WhatsApp and Instagram, said it would appeal the ruling, including the fine. There would be no immediate disruption to Facebook in Europe, it added.
The company said the root of the issue stemmed from a ‘conflict of law’ between US rules on access to data and the privacy rights of Europeans. EU and US policymakers were on a ‘clear path’ to resolving this conflict under a new transatlantic Data Privacy Framework.
The new framework seeks to end the limbo facing companies since 2020, when Europe’s top court struck down a transatlantic legal framework designed to address EU concerns about potential US government surveillance of European citizens, known as Privacy Shield.
The United States and the EU have been negotiating a successor agreement since 2022. The continued lack of a Privacy Shield replacement threatens thousands of businesses that depend on being able to move EU user data to other jurisdictions, according to legal experts.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now