Ireland’s DPC set to hit Meta with record privacy fine over US data transfers

Regulator set to impose record fine for GDPR-related issues

The Meta penalty is set to eclipse the previous record, a €746 million fine for Amazon. Photograph: Leah Farrell/RollingNews.ie
The Meta penalty is set to eclipse the previous record, a €746 million fine for Amazon. Photograph: Leah Farrell/RollingNews.ie

Ireland’s Data Protection Commission (DPC) is set to hand Facebook owner Meta Platforms a record European Union privacy fine, for failing to heed a top court warning aimed at protecting users’ data from the prying eyes of US security services once it’s shipped to servers across the Atlantic.

The DPC, which oversees the EU operations of most Silicon Valley firms, will also order the social network to stop all data transfers to the US that rely on supposedly unsafe contractual clauses questioned by the bloc’s top court, according to people familiar with the matter who spoke on condition of anonymity.

The Meta penalty, ahead of the fifth anniversary of the EU’s General Data Protection Regulation, will eclipse the previous record, a €746 million fine for Amazon, the sources said.

The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency

It is the latest round in a long-running saga that eventually saw Facebook and thousands of other companies plunged into a legal vacuum. EU judges in 2020 annulled an EU decision regulating transatlantic data flows over fears that citizens’ data wasn’t safe once shipped to the US.

READ SOME MORE

While they didn’t strike down an alternative contractual tool, their doubts about American data protection quickly led to a preliminary order from the Irish authority telling Facebook it could no longer move data to the US via this other method either.

The company declined to comment.

It is the latest round in a long-running saga that eventually saw Facebook and thousands of other companies plunged into a legal vacuum

A data-transfer ban has been widely expected, and once prompted Meta to threaten a total withdrawal from the EU. The Irish decision will only target Facebook and won’t affect other Meta services, such as Instagram, or any of the other firms that have been transferring data the same way, the people said.

The ban is expected to come with a transition period, and will most certainly be followed by an appeal from Meta in the Irish courts, by which time a new transatlantic data pact the EU has been negotiating with the US may have taken effect.

The Irish authority adopted the decision last week, and will publish it in the coming days after Meta has had a chance to highlight potentially sensitive information, according to Graham Doyle, its deputy commissioner. He declined to comment further.

The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook in Ireland, where the social media company has its European base, arguing that EU citizens’ data is at risk the moment it gets transferred to the US. – Bloomberg