Ireland’s data regulator has imposed a record €1.2 billion fine on Facebook owner Meta for violating European privacy rules, in a move that takes total penalties against the company above €2 billion.
The sanction handed down on Monday by Data Protection Commissioner Helen Dixon followed a long investigation into transfers by Facebook of Europeans’ personal data to the US.
She had not proposed a financial penalty against Meta in her original draft decision in the case but was “instructed” to impose a fine after a dispute resolution process at the European Data Protection Board, the body of almost 50 national and regional data regulators that must approve any cross-border penalties for data violations.
The social media giant has been directed to suspend any future data transfers within five months and told to cease within six months the “unlawful processing, including storage, in the US” of European data transferred in violation of EU law.
It is the biggest penalty since Ms Dixon assumed new powers in 2018 to supervise the pan-European operations of large tech companies such as Meta, which has its EU headquarters in Dublin and is one of the State’s biggest taxpayers.
She is responsible for inquiries into alleged breaches by big tech groups of the EU’s general data protection regulation (GDPR), which was billed as a game-changer in the drive to control how business use consumers’ personal information.
The latest fine is the sixth large GDPR penalty against Meta and its subsidiaries in Ireland, the first five of which cost the group just over €1 billion. Because it appealed previous fines in the High Court, Meta is considered likely to appeal the new sanction.
This fine brings the running total for Big Tech fines imposed by the DPC against Meta to more than €2.5 billion.
Meta Ireland was found to have violated the GDPR by continuing to transfer personal data from the EU to the US after a judgment against such transfers in Europe’s highest court.
Meta had updated its arrangements after the ruling, but Ms Dixon found the company “did not address the risks to the fundamental rights and freedoms of data subjects” that were identified by the European Court of Justice.
Nick Clegg, Meta’s head of global affairs, said the company was “disappointed to have been singled out” for using what he described as the “same legal mechanism” as thousands of other groups providing services in Europe.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” Mr Clegg said.
Ms Dixon has been criticised by privacy campaigners for the slow pace at which she has carried out investigations into social media, many of them delayed because of disputes with European regulators over penalties.
She has always rejected such complaints, accusing critics of “superficial skimming of the surface” and “exaggeration”.
Ms Dixon handed down a draft decision in the latest case last July but the final resolution was again delayed by divisions at the European Data Protection Board (EDPB) in Brussels.
Andrea Jelinek, chair of EDPB, said the board found that the Meta infringement was “very serious” since it concerns transfers that are systematic, repetitive and continuous. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
In a statement on Monday, Ms Dixon said four of the 47 European regulators objected to the “corrective power” she proposed in the draft.
“All four … took the view that Meta Ireland should be subject to an administrative fine for the infringement that was found to have occurred. Two of those … also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US, ie the data transferred from July 2020 to the present,” the Irish regulator said.
“The Data Protection Commission disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being ‘appropriate, proportionate and necessary’ to address the infringement.”
That led to an EDPB dispute resolution process that concluded with the new fine being imposed on Monday.
Last November Ms Dixon imposed a €265 million fine against Meta after a “collated” set of Facebook personal data was made available on the internet. That fine came after a €405 million sanction in September 2022 for violations of children’s privacy on Meta’s Instagram service, a €17 million fine against Meta in March 2022 for 12 data breaches and a €225 million fine in September 2021 against Meta’s WhatsApp unit for “severe” privacy breaches.
In January Ms Dixon’s office imposed a €210 million fine against Facebook for separate GDPR breaches and a €180 million in relation to violations by its Instagram platform.