EU hands Meta record $1.3 billion fine over data transfers to US

The social media giant Meta was hit with a record €1.2 billion fine (about $1.3 billion) on Monday for illegally transferring data on European citizens to the United States.

The Irish Data Protection Commission, which takes the lead on Meta since the company is headquartered in Dublin, announced the fine on Monday. Such data transfers are prohibited under the General Data Protection Regulation (GDPR) because the European Union says U.S. law does not adequately protect its citizens’ data from the government’s surveillance practices.

Meta’s fine is the largest a company has ever received under the GDPR, and accounts for just over 1% of the more than €108 billion ($117 billion) the company generated from April 2022 through the end of March.

EU laws restrict intelligence agencies’ access to private information based upon what is necessary and proportionate for the purposes of upholding national security. There is no specifically equivalent restriction on intelligence agencies in the U.S.

Meta’s fine dwarfs the second largest ever imposed for a GDPR breach — a €746 million (about $886 million) penalty issued to Amazon in 2021, followed by several previous fines against Meta, including €405 million (about $402 million) in 2022 for leaking teenagers’ contact details.

The genesis of this fine began almost a decade ago, when a contractor for the U.S. National Security Agency revealed that the agency was potentially breaking the law by collecting data from internet platforms, including Facebook.

Armed with these revelations, an Austrian law student named Max Schrems filed a formal complaint against Facebook, which — after almost 10 years of lengthy court battles and a number of additional complaints — has for now concluded.

Following Monday’s fine, Schrems said he and his team were “happy to see this decision after ten years of litigation” and stated: “Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”

Meta has been instructed to either delete or repatriate the data of its European users by early November. Despite this instruction, a new data sharing deal between the U.S. and EU is likely to be finalized by then, which would render the instruction moot — although the fine will still stand.

In a joint statement by Nick Clegg, the former British deputy prime minister who is now Meta's president of global affairs, and Jennifer Newstead, the company's chief legal officer, the company said: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.”