Meta, a U.S.-based tech giant, has been fined a record amount of EUR1.2 billion for failing to comply with EU privacy rules.

The Irish Data Protection Commission (IDPC) announced on Monday that Meta had violated the General Data Protection Regulations (GDPR), when it sent troves personal data of European Facebook Users to the United States, without adequately protecting them against Washington’s surveillance practices.

The largest fine ever imposed by the EU’s General Data Protection Regulation, the privacy law that is the cornerstone of the bloc. It comes just before the fifth anniversary of its enforcement on 25 May.

Amazon was fined EUR746m by Luxembourg, and the Irish regulator imposed fines ranging from EUR405m to EUR225m against Meta’s Facebook, Instagram and WhatsApp platforms in the last two years.

The Irish privacy watchdog stated that Meta’s use a legal instrument called standard contractual clauses to move data to U.S. did not address risks to fundamental rights and liberties” of Facebook users in Europe raised by the landmark ruling of the EU’s highest court.

In 2020, the European Court of Justice struck down a EU-U.S. Data Flows Agreement known as Privacy Shield due to concerns about U.S. Intelligence Services’ surveillance practices. The top EU court, in the same judgement, also tightened the requirements for using SCCs, a legal tool that is widely used by businesses to transfer personal data into the U.S.

Meta, as well as many other international companies, continued to rely on this legal instrument while European and U.S. officials were struggling to come up with a new arrangement for data flows and the U.S. technology giant was lacking other legal mechanisms to transmit its personal data.

The EU and U.S. have finalized a new deal on data flow that could be implemented as soon as July or as late as the end of October. Meta has until 12 October to stop using SCCs as a transfer method.

The U.S. technology giant warned previously that it could shut down Facebook and Instagram services in Europe if forced to stop using SCCs.

GDPR HIT LIST

The European Union’s General Data Protection Regulation, or GDPR, privacy law has been imposing fines on big tech companies like Amazon Meta and Google for the last five years.

The 25 highest fines issued under GDPR by national data protection authorities since 2018, in Euros.

Meta has until the 12th of November to either delete or return to the EU all personal data from European Facebook users that have been stored and transferred to the U.S. in the U.S., since 2020. This deadline is valid until a new EU/U.S. agreement is reached. It’s unlikely that Meta will be required to delete or transfer data, as European and U.S. negotiating teams are expected to reach a new agreement before the end of November.

In a Monday statement, Meta’s Chief Legal Officer Jennifer Newstead and President of Global Affairs Nick Clegg said that the decision was flawed and unjustified.

Clegg and Newstead stated that the company would appeal the decision and ask the courts for a stay to stop the deadlines. The decision has implementation periods that extend until the end of this year, so there is no immediate impact on Facebook.

Max Schrems said that he was pleased with the decision, after ten long years of litigation. “Unless U.S. Surveillance Laws are fixed, Meta’s systems will need to be fundamentally restructured.”

The Irish Data Protection Commission stated that it did not agree with the fine or measure it imposed on Meta, but was forced to do so by the pan-European regulators network, the European Data Protection Board. Dublin’s original decision had been challenged by four other regulators from Europe: Germany, France and Spain.

According to internal discussions published on Monday, earlier this year, the Irish regulator vehemently opposed imposing a financial sanction on the social media titan, stating that such a penalty would be disproportionate in light of the alleged privacy violations. Dublin argued that any fine imposed on Meta could be seen as discriminatory, since U.S. tech giant Google has not faced similar penalties in other transatlantic cases of data protection.

Ireland was overruled, however, by other European regulators. The pan-EU privacy regulators EDPB, in a stinging rebuke said that it was of the opinion that “Meta had committed the infringement with at least the highest degree negligence,” as the discussions published Monday showed. They argued for a fine. The EDPB backed the claims of the four EU privacy regulators who said that Meta should be forced to erase historical European data affected.