Ireland imposes a fine of 1,200 million euros on Meta, the largest European sanction for privacy infringement

The regulator accuses the parent company of Facebook of not sufficiently protecting the data of Europeans when moving it to the US.

The Irish data regulator has imposed the largest European privacy fine in history on Meta. The 1,200 million, according to the figure that was known this morning, exceeds the 746 with which Amazon was sanctioned in 2021, also for issues related to privacy. The sanction is due to the lack of security guarantees for European citizens in the transfer of their data to the US Like other large technology companies, Meta has its European headquarters in Ireland, with which its national bodies are in charge of regulation.

The decision coincides with the fifth anniversary of the entry into force of the General Data Protection Regulation (GDPR) of the European Union and has been celebrated by the Council of European Regulators (EDPB, for its acronym in English). The record fine, the largest to date in terms of the EU GDPR, is a “strong message to organizations that serious violations [of European standards] have far-reaching consequences,” said the president of the regulators. Europeans, Andrea Jelinek. The infringements committed by Meta’s European headquarters in Ireland “are very serious”, given that they are “systematic, repetitive and continuous” data transfers, Jelinek said in a statement. “Facebook has millions of users in Europe, so the volume of personal data transfer is massive,” she insisted.

The fine emerges from the revelations of Edward Snowden in 2013. The documents that he leaked proved that the US secret services had accessed the data of citizens of other countries through companies such as Google or Facebook. A lawsuit by the Austrian lawyer and activist Max Schrems is at the origin of the case for the transfer of data.

Meta has already responded that this problem is not just their organization and that they plan to appeal the “unjustified and unnecessary” fine: “This is not about the privacy practices of a company, there is a fundamental conflict of laws between the rules of the Government of the United States on access to data and European privacy rights, which legislators are expected to resolve this summer ”, the president of Global Affairs of Meta, Nick Clegg, and the head of the company have published in a company blog. Legal Department, after hearing the decision. That agreement between authorities that Meta is waiting for is the DPF, the Data Privacy Framework (framework agreement on data privacy), which should govern the transfer of data between the EU and the US.

For industry representatives it is also essential that the transatlantic data agreement is closed as soon as possible because, according to the Computer and Communications Industry Association (CCIA), the decision adopted now “ignores reality” and, in fact, , “makes illegal the way the internet works, from video conferencing to browsing the internet to processing online payments.”

“This legal uncertainty will persist as long as the new data transfer mechanism [between the US and Europe] is not formally approved by the Member States,” warned the director for Europe of the CCIA, Alexandre Roure.

A spokesperson for the European Commission has said in Brussels that the European Executive “takes note” of Ireland’s decision and has confirmed that the data protection framework between the US and the EU should be ready “by summer”.

“This will guarantee the security and legal guarantees that companies are looking for, while guaranteeing the strict protection of the private life of citizens,” said the spokesman, Christian Wigand. “The guarantees that we have negotiated with the US and that we want to implement respond to the issues specifically identified in this case,” he said.

“To understand the importance of these practices, it must be remembered that transfer is not only the sending of data to the US, but also the simple access from the US to the data hosted on European servers,” says Jorge García Herrero, a lawyer specializing in protection of data.

The regulator also intends to prohibit Meta from transferring data from Europe to the US and to delete those that have already been sent. It is expected, however, that Meta can avoid these consequences because the European and American governments must sign the DPF, the agreement that regulates this transfer of data between continents. “That order not to send any more data to the US in the future may not be particularly significant because we anticipate a new US-EU data agreement very soon,” says Johnny Ryan, Information Rights Officer at the Irish Council for Civil Liberties. The measure provides for a transition time of six months and it is probable that Meta will appeal, which will lengthen its entry into practice.

The fine, according to the Irish agency, is based on the use of a tool called the standard contractual clause [SCC] to move European data to the US and that it does not “address risks to freedoms and.

n January, Ireland already fined Meta 390 million for the way it forced its Facebook and Instagram users to accept its terms of service to use its networks. This time the sanction refers only to Facebook.

The impact of the data transfer ban goes beyond Facebook, which is the only network directly affected by the decision: “Meta will be ordered to suspend its transfers of personal data from EU residents to the US,” it says Garcia Herrero. “The details of this sanction could affect many more companies, apart from Meta.”

Another substantial detail of the decision affects the deletion of data already sent: “That is a new bomb in itself: it seems obvious that Meta does not have its systems designed in such a way that the European part can be removed cleanly,” adds García Herrero. But in Meta they already warn that this condition is subject to the apparently imminent agreement between governments: “We are pleased that the DPC [the Irish regulator] has also confirmed in its decision that there will be no suspension of transfers or other action required by Meta, such as the requirement to delete the data of EU data subjects once the underlying conflict of laws has been resolved. This will mean that if the DPF goes into effect before the implementation deadlines expire, our services can continue as they do today without any interruption or impact on users.”