Meta fined a record €1.2bn for GDPR breach

The record fine was levied by Ireland’s Data Protection Commission (DPC) after a three-year probe into the social media giant.

The DPC said that Meta had breached part of the European GDPR (General Data Protection Regulation) rules in the way that it had moved data of Facebook users across borders.

It ordered Meta Ireland to “suspend any future transfer of personal data to the US within the period of five months” and also levied a record fine on the business “to sanction the infringement that was found to have occurred”.

Meta called the fine “unjustified”.

The multi-year process which led to the fine was kicked off by Edward Snowden in 2013 when the National Security Agency (NSA) whistleblower revealed that US authorities were surveilling systems run by several US companies.

Companies had long been allowed to transfer EU customers’ data to the US to help them run their business, but only on a promise that they were protecting this data as well as if it was being stored in the EU. The Snowden revelations put a question mark over the whole system.

This sparked a request for the DPC to investigate how Facebook data was shared across continents. The DPC originally refused, thinking that the complaint was not sustainable, but was overruled years later by the EU's Court of Justice.

Meta said that the issue was larger than simply the practices of one company. The US and EU rules are in “fundamental conflict”, the company said on Monday.

A joint statement issued by Meta president of global affairs Sir Nick Clegg and chief legal officer Jennifer Newstead said: “It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.

They said there was not going to be any immediate disruption to Facebook and that Meta would appeal against the decision.

“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” the statement from Sir Nick and Newstead added.

They also criticised the European Data Protection Board for overruling the DPC’s initial decision that a fine was unjustified because Meta had acted in good faith.

Policymakers on both sides of the Atlantic are currently scrambling to find a new agreement on how data can be shared across borders.

If this is put in place before Meta’s deadline to stop using the current system there will be no disruption to Facebook, Sir Nick and Newstead said.

They added: “No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.”

News of the record fine comes only days after it emerged that three-quarters of GDPR-related decisions made by the DPC in EU-wide cases since 2018 were subsequently overruled by the European Data Protection Board (EDPB), which felt that the Irish watchdog’s decisions were not sufficiently stringent.

2023 could be shaping up as something of an annus horribilis in financial terms for Meta. In January, it was revealed that Meta alone was required to pay over 80 per cent of all fines levied by the EU in 2022 for GDPR violations, with its bill running to over £500m.

Meta has also shed over 20,000 jobs since November 2022, as Meta chief executive Mark Zuckerberg pursues his “year of efficiency” for the firm.

Responding to the news today of the record fine for Meta's GDPR violations, Nigel Jones, co-founder of the Privacy Compliance Hub, said: "Meta has prepared for the fine, but it is huge. It was expecting a fine and an order for suspension of data transfers to the US, but the requirement to stop the storage of the personal data of EU individuals which it transferred unlawfully is a massive undertaking to carry out, financially, technically and logistically.

"It's difficult to see how it can cease the transfers and bring its processing within the law in the time given. Its only commercially viable option appears to be to appeal to the courts in an attempt to further delay implementation of the decision. In the meantime it will hope that the EU and the US can agree a mechanism known as the Data Privacy Framework that will enable Meta and other companies to legally transfer the data of EU individuals to the US. However, that won't help such companies with the vast amounts of EU data that they are currently storing unlawfully in the US as a result of this decision."

Richard Hollis, CEO of Risk Crew, said: “This is a potentially game-changing fine. It clearly signals that serious infringements bear serious consequences and also demonstrates how legislation is defining borders on the internet by mandating that data is stored within the country where it is collected, rather than allowing it to move freely through data centres across the world.

"The fine also contradicts the popular view that data protection legislation is toothless and fines are too small to effect any real change in the way businesses protect our data - but a change in Meta’s behavior will have a real and substantial impact on the way all businesses protect data. As a result, this could be a data protection milestone.”

Meta's record fine also comes on the same day as one of its leading apps, Instagram (not itself attached to the latest GDPR fine), suffered hours of global outages. Down Detector, the website that tracks tech outages, had logged 56,628 user reports by 11pm yesterday (Sunday).

Down Detector's location map showed the outages spread across the UK, with reports of outages also coming from the US and Australia.

Users could not refresh their feed or post during the outages. Instagram experienced a similar outage on 9 March this year, in which thousands of users reported similar issues.

Over the weekend, it also emerged that Instagram is now testing a text-based, Twitter-competitor app with a selected group of celebrities and influencers.

It is believed that the new platform will be standalone and also decentralised, according to people familiar with the plans, marking a step change away from Meta's typical approach of maintaining full control over its centralised 'walled garden' apps.

While the new app may be standalone, it has been suggested that Instagram users will be able to connect their accounts in both apps.

A June launch date for the new platform is being mooted, as Instagram seeks to capitalise on the upheaval that has been swirling around Twitter since Elon Musk acquired the company last year. Many Twitter users have been casting around for a simple text-based alternative, with apps such as Mastodon and Bluesky getting significant attention, if not lasting traction at this stage.

Twitter's new CEO, Linda Yaccarino, recently stated that it was "game on" with regard to any and all competition in the microblogging sphere.