Facebook parent company Meta has vowed to appeal a record €1.2 billion fine imposed by the Irish Data Protection Commission (DPC) for breaches relating to the transfer of personal data from the EU to the US.
It is the largest ever EU privacy fine, exceeding the previous record penalty of €746 million which was imposed on Amazon in 2021.
As part of the decision, Meta has been ordered to suspend the transfer of data from the EU to the US and has been given five months to comply.
The company has been given six months to cease the unlawful processing, including storage, in the US of personal data of European users transferred in violation of the General Data Protection Regulation (GDPR).
The decision relates only to Facebook and not Meta's other platforms such as Instagram and WhatsApp.
The ruling follows an investigation by the DPC into the legal tools used by Meta to transfer Facebook user data from the EU to the US.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
The tools are known as "standard contractual clauses" and the DPC found that the arrangements did not address the risks to the fundamental rights and freedoms of data subjects.
Meta said it will appeal the decision.
"We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts," the company said in a statement.
Meta said it was disappointed to have been singled out when using the same legal mechanisms as thousands of other companies providing services in Europe.
"This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US," Meta said.
In its original ruling, the DPC did not recommend a fine but some of its fellow European data watchdogs disagreed and ultimately the European Data Protection Board (EDPB) ordered that a fine be imposed.
Meta said this raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator, disregarding the findings of its multi-year inquiry.
The Irish Data Protection Commissioner has said that the investigation conducted into Facebook Ireland found transfers of information relating to EU persons were unlawful.
"The findings of the investigation were endorsed in their entirety by my fellow authorities, they enforced to measure to suspend the transfers," Helen Dixon said.
She pointed out that there were 47 supervisory authorities, and four wanted to impose additional measures such as a large fine. She said that due to the way things are set up with the 47 authorities, it would be irrational "to expect that the document would come out the other end untouched".
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
Revelations in 2013 by whistleblower Edward Snowden that US authorities were spying on social media users sparked concerns over the safety of EU user data once it was transferred to the US.
Austrian privacy campaigner Max Schrems filed a legal challenge against Facebook for failing to protect his privacy rights.
Lengthy court battles followed which ultimately saw the European Court of Justice strike down the 'Privacy Shield' data transfer agreement that had existed between the EU and US.
A new data transfer framework has been agreed between the US and EU and it is expected to be in place later this year.
Speaking on RTÉ's Drivetime programme, Fianna Fáil Senator Malcolm Byrne said that today's fine of Meta for the breach of data presents a broader issue for all of us around how our data is used by tech companies.
He said that the case speaks fundamentally on how safe our data is and how it should be used, and he said that the US needs to come out with a decision on this going forward from the case on its data regulation regime.
He added that he did not think Meta would succeed in an appeal, and that the company would not pull out of Ireland due to the fine.
"We need assurances from the US that any European citizens' data, if it's being transferred to the US, that it won't be accessed," he said.
