The European Data Protection Board (EDPB) announced the fine on Monday, saying that Meta had breached the General Data Protection Regulation (GDPR) by transferring personal data of its EU users to servers in the US without adequate safeguards.
The EDPB also ordered Meta to stop transferring EU user data to the US by October 2023 and to delete any data that had been previously transferred in violation of the GDPR. Meta said it plans to appeal the ruling, calling it “flawed, unjustified and sets a dangerous precedent for countless other companies”.
The company argued that there was a conflict between the EU and US privacy regulations and that blocking data transfers would harm the global economy and internet services. In its press release, the data regulation board stated:
“The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Violating GDPR by Sending Data to the US
The EDPB found that Meta had violated the GDPR by transferring personal data of EU users to the United States without adequate safeguards in place. The EDPB said that Meta had failed to obtain the necessary consent from users for the transfers, and that it had not used standard contractual clauses or other appropriate safeguards to protect the data.
GDPR is a data protection law that was adopted by the EU in 2016. The law gives individuals more control over their personal data and requires companies to take steps to protect it. The GDPR has been hailed as a landmark piece of legislation, but it has also been criticized for being too complex and for imposing too heavy a burden on businesses.
The fine against Meta is a significant development in the enforcement of the GDPR. It is the first time that a company has been fined such a large amount for violating the law. The fine is likely to send a strong message to other companies that they need to take data protection seriously.
The EDPB said that Meta had failed to comply with these rulings and continued to rely on invalid legal mechanisms to transfer data to the US. According to the watchdog, Meta's infringement was “very serious” as it affected millions of users in Europe and involved “systematic, repetitive and continuous” data transfers.
The EDPB is an independent body that coordinates the enforcement of data protection rules across the EU. Meta says it expects a new agreement over EU-US data transfers to be reached before it has to suspend them. The company said that it was committed to protecting its users' privacy and that it had invested in security and encryption technologies to safeguard their data.
Europe's History to Strict Regulations for Big Tech
While this is the biggest fine for specific GDPR violations, Europe already has a history of clamping down on tech companies if they violate regulations. Google has often been at the center of action from the European Commission (EC). Last September, the company was forced to pay €4.1 Billion for restricting Android OEMs and networks to boost its own services.
In 2019, Google was hit with a $1.69 billion fine by the bloc for blocking competition growth to promote its own AdSense platform. The company was forced to pay $2.7 billion for breaching competition laws around its shopping search results. In 2018, Google was fined $5 billion by regulators in Europe. The Commission says the fine regards three restrictions Google placed on Android device OEMs.
Google is not the only one to face the regulatory music in Europe. Facebook has fallen foul of lawmakers before, including in 2018 when the company changed its privacy principles to avoid an investigation by regulators. In April, Microsoft separated its Teams solution from the Office productivity suite to appease the EC and avoid regulatory action.
Microsoft Cloud is making changes to how it works in Europe by overhauling the Microsoft Cloud Solution Provider partner program. The company announced its intentions in May last year before rolling out changes in October. Concessions came in the wake of a previous European Commission investigation.
