In a landmark decision, Meta, the parent company of Facebook, has been hit with a record-breaking €1.2 billion ($1.3 billion) fine by European Union regulators for breaching EU privacy laws. The penalty stems from Meta's practice of transferring the personal data of Facebook users to servers located in the United States, which the European Data Protection Board found to be in violation of the General Data Protection Regulation (GDPR). The fine, the largest ever imposed under the GDPR, surpasses the previous record set against Amazon in 2021. Furthermore, Meta has been instructed to halt the processing of European users' personal data in the United States within six months.
The European Data Protection Board emphasized the severity of Meta's infringement, stating that the transfers were systematic, repetitive, and continuous, affecting millions of users and resulting in the massive movement of personal data. Andrea Jelinek, Chair of the European Data Protection Board, highlighted that the substantial fine serves as a strong warning to organizations regarding the far-reaching consequences of serious privacy infringements.
In response to the ruling, Meta, which also owns WhatsApp and Instagram, announced its intention to appeal the decision and the accompanying fine. The company argued that the issue arose due to a "conflict of law" between US regulations on data access and the privacy rights of European users. Meta expressed confidence in the ongoing negotiations between the EU and US policymakers to resolve this conflict through a new transatlantic Data Privacy Framework.
Rehan Jalil, President & CEO, Securiti shared additional insights on the event and what it means for organizations that need to adhere to strict data compliance regulations:
"Organizations across the world need a comprehensive understanding of what sensitive and personal data they have, where it is located, who has access to it and what specific laws and regulations apply. Lack of insights and awareness makes it difficult to effectively protect and manage the data in compliance with the myriad of today’s privacy laws. It is particularly difficult to navigate cross-border transfer of data and data sovereignty restrictions, as various jurisdictions have their own data protection laws, as is this case with Meta’s record-setting fine.
This highlights the need for automated systems that can provide deep insights into the sensitive data, as well as insights into the context around that data, such as all the regulations that apply, geographic location, access permissions, etc. With these automated insights, organizations can intelligently monitor and alert for potential violations, as manual processes are often inadequate given the sheer volume of sensitive data companies handle."
The absence of a replacement for the invalidated transatlantic legal framework, Privacy Shield, has left businesses in a state of uncertainty since 2020. Thousands of companies depend on the ability to transfer EU user data to other jurisdictions, and the lack of a resolution jeopardizes their operations. While progress is being made in the negotiations between the EU and the US, Meta criticized the European Data Protection Board for disregarding these efforts and warned that the decision sets a dangerous precedent, affecting numerous companies engaged in cross-border data transfers.
For now, Facebook users in Europe will not experience immediate disruptions, as Meta intends to challenge the ruling. The outcome of the appeal will be closely watched, as it carries significant implications for data privacy and the global flow of information.