The owner of WhatsApp, Instagram and Facebook has been slapped with a record fine of €1.2bn (£1.04bn) by the Irish data protection regulator.
It is the biggest fine ever levied for breach of the general data protection regulations (GDPR), which require the data holder’s permission before using their personal information.
Meta has incurred the fine for transferring EU users’ data to the United States for processing, despite a 2020 verdict handed down by the highest EU court saying the data was insufficiently protected from US spying agencies.
Facebook has been ordered to halt the practice and has been given at least five months to suspend future transfers and six months to stop unlawful processing and storage of data in the US. Instagram and WhatsApp are not subject to the order.
The issue has been ongoing for a decade after privacy activist Max Schrems instigated legal proceedings in 2013 against Facebook, as the company was called at the time.
Meta Verified: Facebook and Instagram launches paid service
Meta to lay off another 10,000 staff
The Data Protection Commission (DPC) in Ireland has jurisdiction over Meta, effectively operating as the EU privacy regulator, as Meta’s European headquarters are in Dublin.
Meta said it would appeal the decision and there would be no disruption in service. It said the decision was “unjustified and unnecessary” and sets a “dangerous precedent”. Meta added it is seeking stays of the order through the courts.
Listen and subscribe to The Ian King Business Podcast here
Prior to Monday’s fine, the largest penalty EU regulators handed out was €746m to Amazon in 2021.
A new pact is being worked on between the EU and US to facilitate safe and legal data sharing and may be operational by the summer but also could face legal challenges. Meta said in April it expects the pact to be completed before it is compelled to cease the current, illegal data transfer.
Even if the arrangement is not in place services will continue to operate, Meta said. Previously it had said a ban could suspend services in Europe.
Ending the data transfer could cost an estimated 10% of its advertising revenue, Meta said in an investor call last month – an amount that is multiples larger than Monday’s £1bn fine.
Fine significant but unlikely to hurt Meta financially
This is a historic fine. The largest ever from the EU relating to its GDPR regulations.
But how much will it matter to Meta?
For the owner of Facebook, Instagram and WhatsApp with a market capitalisation of $680bn (£546bn), the $1.3bn (£1bn) fine from the Irish regulator won’t hurt Meta that much.
It’s only 1% of its annual advertising revenues from Facebook alone.
But it certainly shows that the EU is prepared to stand up to big tech companies over how they treat its citizens’ data.
And Meta has been given five months to come up with a new plan for keeping EU data secure from the prying eyes of the US government or others.
In fact, that work is already under way.
The Biden administration is already working on an EU-US data privacy framework, designed to satisfy GDPR rules if data is moved from Europe to the US.
While Meta is appealing this decision, it will likely have to come up with a new way to manage user data from Facebook and its other platforms – a process its competitors will be watching closely.
However, Big Tech has consistently shown that it is adept at keeping one step ahead of regulators in terms of innovative ways to make money out of their users’ data.
This won’t be the last time Meta or one of its rivals will be called out on data protection and privacy.