Meta fined record €1.2bn over data failures

Ireland’s Data Protection Commission said the US tech giant had been fined a record €1.2bn for transferring personal data from the EU to the US in breach of general data protection rules (GDPR).

Meta has also been given five months to suspend any future transfer of data to the US, and six months to cease processing data already in the US that was transferred in breach of GDPR.

Meta called the decision "unjustified" and said it would appeal.

The case revolves around the use of standard contractual clauses (SCCs), which contain safeguards to ensure personal data continues to be protected once transferred out of Europe. In 2020, the Court of Justice of the European Union - the bloc’s highest court - ruled that user data was insufficiently protected from American surveillance programmes.

The DPC found that the SCCs used by Meta post 2020 "did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgement".

Facebook president Nick Clegg, the former politician, said: "We are disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.

"This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US."

The DPC’s ruling only relates to Facebook, and not Meta’s other brands, which include WhatsApp and Instagram.