Meta has received a record €1.2 billion fine and the order to stop moving EU personal data to the United States in a landmark decision that found such data transfers illegal.

The Irish Data Protection Commissioner (DPC), the leading European authority for Meta, issued on Monday (22 May) the largest fine ever recorded under the General Data Protection Regulation (GDPR), concluding a lengthy investigation that began in August 2020.

The Big Tech company will have until six months from the receipt of the decision to stop transferring and processing the data of EU residents in the United States, meaning the data will either have to be deleted or moved back to Europe.

The decision is based on the Schrems II ruling of the EU Court of Justice, which found that the US legal regime does not provide adequate data protection by EU standards due to the disproportionate and unchallengeable access of intelligence services.

In December, the Commission adopted its draft adequacy decision certifying the EU-US Data Privacy Framework, which is set to be adopted before the end of the year to provide a new legal framework for transatlantic data transfer.

As such, the question is whether Meta will manage to delay the interruption of the data transfers until the new framework is in place. In a statement reacting to the decision, Meta said there would be no immediate disruption to Facebook in Europe but that it would appeal the findings and seek a stay from the courts.

EU-US data transfer framework: European privacy authorities put forth caveats

The European Data Protection Board (EDPB) welcomed with reservations the new Data Privacy Framework, meant to provide the legal framework for transatlantic data flows.

The enquiry into Meta Ireland was launched in August 2020 but rests on a much lengthier history of questions over the legality of the company’s US-EU data transfers.

A draft decision was completed in July last year, finding that the company’s data transfers were in breach of the EU’s GDPR and mandating their immediate suspension.

The case also concluded that data transfers based on Standard Contract Clauses must be found to include safeguards providing data subjects with protections essentially equivalent to those guaranteed by the GDPR and the EU’s Charter of Fundamental Rights.

The draft decision was subsequently submitted to the European Data Protection Board, which gathers all European data protection authorities. All authorities agreed with the Irish regulator’s proposal to order a suspension of data transfers.

However, four authorities raised objections over the DPC’s proposed corrective powers, arguing that Meta should be hit with a fine over the infringement. Two of the four also called for action to address personal data that had already been unlawfully transferred to the US since July 2020.

The DPC pushed back against this argument, and the issue was referred to the Board’s dispute resolution mechanism, under which a binding decision was issued last month.

As a result, an administrative fine of €1.2 billion has been levied against the tech giant, the largest ever for a GDPR violation, surpassing the previous record set against Amazon with €746 million.

Schrems: round three

Last month, an executive order detailed the EU-US Privacy Shield 2.0, a new legal framework for transatlantic data flows made necessary by the Schrems II ruling. We caught up with Max Schrems, the privacy activist who gave the name to …

The final decision found that Meta had breached EU law and that, even though its transfers were made based on the Standard Contractual Clauses outlined by the Commission, they failed to address the threats to data subjects’ fundamental rights and freedoms detailed by the EU Court in its Schrems II ruling.

The Irish authority, therefore, ordered Meta to cease any future transfers of personal data to the US within five months of notification of the decision and to suspend the unlawful processing, including storage, in the US of personal data belonging to European users in violation of the GDPR, within six months of notification.

“Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own,” Meta said in a statement.

“We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” the company added.

NOYB, the data privacy group led by activist Max Schrems who initiated the foundational court case, said that, while an appeal by Meta is probable, the company’s past violations make it unlikely to succeed, highlighting the importance of the EU’s new data transfer agreement.

“Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix,” said Schrems in a statement following the decision’s release, adding that the Data Privacy Framework is also likely to be struck down in court.

The ruling against transfers to the US by big tech companies is far from the first by a European data protection authority. Last year, both Italy and France joined Austria in banning the use of Google Analytics in light of the Schrems II ruling.

In April 2023, the Austrian regulator also found the use of Facebook’s tracking pixel to be in breach of both the case law and the GDPR.

Italian data protection authority strikes another major blow to Google Analytics

The Italian privacy watchdog joined its peers from Austria and France in banning Google’s service for unlawfully transferring data to the United States.

Read more with EURACTIV

Czech public sector digitalisation kicks off but faces uphill battle