Facebook owner Meta has been issued a €1.2 billion fine for GDPR violations in relation to data on European citizens being transferred to the US from its HQ in Ireland.

The Irish Data Protection Commission decreed that Facebook breached GDPR by sharing data ‘on the basis of standard contractual clauses (SCCs) since 16 July 2020.’ This seems to essentially mean according to GDPR, European Facebook user’s data was/is unlawfully processed and stored in the US.

This is the biggest ever GDPR related fine, and Meta has also been ordered to bring its data transfers into compliance with the data privacy regulations within 6 months.

An announcement by the DPC notes that while Meta Ireland effected those transfers on the basis of updated SCCs that were brough in by the European Commission in 2021, ‘these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.’

“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said Andrea Jelinek, EDPB Chair. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”

There’s a lot of in the weeds legal details around this of course, but in essence the worries over Facebook data being shared with the US from its Irish base of European operations is based around concern over US surveillance laws and how that might impede upon data privacy of EU citizens.

It’s been brewing for years now –  in 2020 The European Court concluding that US snooping means EU data isn’t safe if transferred over there, which was not taken well by Facebook.

Similarly, in light of the record fine announced today, Nick Clegg, President, Global Affairs at Facebook and former Liberal Democrat leader put out a statement bemoaning the ruling, which also sketches out the timeline in events from its perspective:

In 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield – a key legal mechanism for the transfer of personal data from the EU to the US. This decision created considerable regulatory and legal uncertainty for thousands of organisations, including Meta.

At the time of its decision in 2020, the CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards.  As such, like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR).

Today, the Irish Data Protection Commission (DPC) has set out its findings into Meta’s use of this common legal instrument to transfer Facebook user data between the EU and the US. Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board (EDPB). We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.

Facebook says there will be no ‘immediate’ disruption to its services in the EU and since it intends to appeal the decision, we haven’t heard the last of this story.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.