Why has the EU slapped a record €1.2B fine on Meta?

The ruling comes with a period of at least five months for Meta to comply, but the company has said that it will appeal the decision.

Why was Meta fined?

The Irish data protection board found that Meta infringed Article 46(1) of the GDPR which allows cross border data transfers only if an entity has ensured appropriate safeguards for it. The provision states: “…a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

The Irish privacy watchdog said that Meta’s use of an instrument known as standard contractual clauses (SCCs) to move data to the US did not sufficiently protect European’s data from America’s privacy regime.

In 2020, the European Court of Justice struck down an EU-US data flows agreement known as the Privacy Shield over fears of US intelligence services’ surveillance practices. The judgement also tightened requirements to use SCCs.

Following the judgement, the EU and US got back on the drawing board to discuss contours of a renewed data transfer framework, called Privacy Shield 2.0 but the system is yet to be formalised.

How has Meta reacted to the ruling?

The company will appeal the ruling, including the “unjustified and unnecessary fine, and seek a stay of the orders through the courts,” said Nick Clegg, President, Global Affairs for Meta, and Jennifer Newstead, its Chief Legal Officer.

They clarified there is no immediate disruption to Facebook because of the decision since it includes implementation periods that run until later this year.