EU fines Meta for the record $1.3 billion

Meta has been hit with a record $1.3 billion fine by EU authorities for violation of privacy. The company was also ordered to stop transferring user data to the United States, to bring data transfer in line with the GDPR.

Let me remind you that we also wrote that British Airways will pay a record penalty for data leakage within the GDPR, and also that ImmuniWeb presented free service for checking on GDPR requirements.

And also the media wrote that Companies in the EU will have to remove Google Analytics from their websites.

Facebook has been found to be transferring platform user data from the EU to the United States, where data protection regulations vary from state to state and have been deemed inadequate to protect the rights of EU users. Thus, Article 46 (1) of the GDPR prohibits the transfer of personal data to countries or international organizations that lack security guarantees and legal protection mechanisms.

As a result, the Irish Data Protection Commission (DPC) imposed a record $1.3 billion fine on Facebook’s parent company, Meta Ireland, and demanded a suspension of any data transfer that violates the GDPR. At the same time, Instagram and WhatsApp, which are also owned by the company, are not subject to the order.

The fact is that the Irish supervisory authority is the leading regulator of privacy issues in a block of 27 countries, and the European headquarters of Meta is located in Dublin.

It also needs to be clarified that Facebook previously transferred data between European countries and the US in accordance with the GDPR adopted in 2016 and the EU-US Privacy Shield, which allowed data from the EU to be stored with US companies from a special list.

The conditions for international data transfers under the GDPR were changed in July 2020 when the EU Court of Justice ruled that any transfer of personal data under the Privacy Shield is illegal and stricter data control rules need to be introduced.

In August 2020, the DPC initiated an investigation into Meta’s activities, and in July 2022, regulator representatives published a draft decision highlighting that the tech giant was violating Article 46 (1) of the GDPR.

On April 13, 2023, the European Data Protection Board (EDPB) ordered the DPA to impose a fine on Meta and oblige the company to comply with the GDPR. As a result, the Irish Data Protection Commission imposed a $1.3 billion administrative fine on Meta, in accordance with the recommendations of the EDPB (from 20% to 100% of the maximum applicable, considering severity of the violation).

Meta representatives have already responded to the decision of the EU authorities, saying in an official blog that cross-border data transfer is critical for business continuity, and administrative fines and restraining orders will have a serious impact on the company’s work in Europe.

The company said that transatlantic data transfers are controlled by the Standard Contractual Clauses (SCC) used by all organizations, which the Court of Justice of the European Union has previously accepted as a valid alternative for establishing “legal safeguards”.