Meta has been ordered to stop transferring European user data across the Atlantic by October to comply with strict EU privacy rules.
Meta, Facebook's parent company, has been fined a record €1.2 billion by the Irish data regulator for breaching EU data protection rules.
Meta is being fined for "continuing to transfer personal data" of users from the European Economic Area (EEA) to the US in breach of the EU’s strict General Data Protection Regulation (GDPR) rules, the Irish Data Protection Commission (DPC), which acts on behalf of the EU, said in its decision.
The Irish watchdog said it gave Meta five months to stop sending European user data to the US and six months to bring its data operations into compliance "by ceasing the unlawful processing, including storage, in the US" of European users' personal data transferred in violation of the bloc's privacy rules.
It is the biggest EU fine ever handed to a tech company, surpassing the €746 million fine handed to Amazon for processing personal data in violation of GDPR.
Meta vowed to appeal and ask courts to immediately put the decision on hold.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” Nick Clegg, Meta's president of global and affairs, and Chief Legal Officer Jennifer Newstead said in a statement.
The investigation was led by Ireland’s Data Protection Commission, which acts as Meta’s lead privacy regulator in the EU because the Silicon Valley tech giant’s European headquarters is based in Dublin.
The European Court of Justice ruled in 2020 that an EU-to-US data transfer agreement called Privacy Shield was invalid, due to surveillance concerns. There are worries US intelligence agencies could access the information.
Brussels and Washington signed a deal last year on a reworked Privacy Shield that Meta could use, but the pact is awaiting a decision from European officials on whether it adequately protects data privacy.
EU institutions have been reviewing the agreement, and the bloc's lawmakers this month called for improvements, saying the safeguards aren't strong enough.
The saga has highlighted the clash between Washington and Brussels over the differences between Europe's strict view on data privacy and the comparatively lax regime in the US, which lacks a federal data privacy law.
Meta was already fined late last year €265 million by Ireland's Data Protection Commission over infringements of GDPR rules.
That investigation was sparked over reports that data on more than 533 million users was found on a website for hackers. The data included names, Facebook IDs, phone numbers, locations, birthdates, and email addresses for people from more than 100 countries.
Meta has previously threatened to remove its services from Europe over data issues.
In its annual report to the US Securities and Exchange Commission last year, the company said if no new framework is adopted and the company couldn’t use the current model of agreements it may need to leave Europe.
If no new agreement was reached, it warned: "We will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe".
If it's forced to stop shipping user data across the Atlantic, Meta might have to carry out a costly and complex revamp of its operations. The company has a fleet of 21 data centres, according to its website, but 17 of them are in the United States. Three others are in the European nations of Denmark, Ireland and Sweden. Another is in Singapore.
The Computer & Communications Industry Association (CCIA) trade association said on Monday that since the European court's 2020 ruling, "organisations and companies of all sizes have been left without clear guidelines for transatlantic data transfers".
It called on the US and EU to implement a new framework to restore legal certainty.
“Today’s legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU Member States," said CCIA Europe’s Public Policy Director, Alexandre Roure. "We call on the 27 EU national governments to approve the Commission’s adequacy decision without delay”.