Meta Hit with Record $1.3B Fine for Violating GDPR

Meta believes they acted in good faith. They will appeal the ruling.

Yesterday, the European Data Protection Board announced that Meta has been fined $1.3 billion for violating the General Data Protection Regulation. This is the largest GDPR fine to date, followed by an $805.7 million fine imposed against Amazon in 2021. Meta was fined after the Irish Data Protection Authority made an inquiry about Facebook data. According to a news release issued by the EDPB, Meta is being fined for transferring personal user data to the US since July 16, 2020.

“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” said Andrea Jelinek, EDPB chair, in a May 22, 2023 news release.

In addition to the record fine, Meta has been ordered to ensure all data transfers are GDPR compliant. The tech giant must also delete any data from users in the EU within six months. In a statement, Meta said there would be no immediate disruption to Facebook in the EU, but they plan to appeal the decision.

Locked metal padlock on a laptop keyboard over blue background. Cyber security, antivirus software concept. — *Source: Envato Elements*

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Meta’s response

“This is not about one company’s privacy practices — there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer,” wrote Nick Clegg, president of global affairs, and Jennifer Newstead, chief legal officer for Meta, in a May 22 statement. “We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.”

At issue is the fact that the US and the EU have different laws regarding user data and privacy. To reconcile the differences so that global commerce and data sharing can continue, in 2020, the Court of Justice of the European Union said the Privacy Shield that was previously in place was not valid. Instead, the CJEU said that companies could rely on Standard Contractual Clauses, subject to legal safeguards. Meta said they relied on these SSCs because they thought they were compliant with the GDPR. Meta also pointed out that thousands of businesses and organizations in the EU and the US are grappling with this issue, and it has not yet been satisfactorily resolved.

“Today, the Irish Data Protection Commission (DPC) has set out its findings into Meta’s use of this common legal instrument to transfer Facebook user data between the EU and the US. Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board (EDPB),” Clegg and Newstead said.

“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years,” added Clegg and Newstead.

FTC imposed $5B penalty in 2019

In 2019, the Federal Trade Commission imposed a $5 billion penalty and significantly new privacy restrictions on (then-named) Facebook for violating consumers’ privacy. At that time, the penalty was significantly higher than any other imposed worldwide and one of the largest penalties ever assessed by the U.S. government for any violation.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons in a July 24, 2019 news release. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

Insider Take

The fine imposed upon Meta yesterday is significant. However, the company’s rebuttal indicates they believed they were acting in good faith. This signals that the data privacy regulations for how and when user data can be shared outside its country of origin are unclear and need work. Based on Meta’s lengthy statement, it seems they were prepared for this, and they intend to fight it. The outcome will set a precedent for all businesses and organizations that share or move user data across borders when any of those borders include the EU. It also seems likely that the US will follow the EU’s lead at some point to issue its own version of GDPR.

Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Filed in Business Operations, Data and IoT, News, Regulation and Compliance

Dana E. Neuts

Dana Neuts is Subscription Insider's Editorial Director, covering our daily subscription news as well as member features, case studies, premium content, and reports. Dana is also a writer, editor, marketer and communications professional. Her work has appeared in AARP Bulletin, The Seattle Times, Seattle Business, 425 Business, 425 Magazine, South Sound Magazine, Northwest Travel and more. Her specialties include business writing, community news, senior issues, travel and, of course, subscriptions!