The Irish privacy regulator has imposed a GDPR fine of 1.2 billion euros on Meta. Meta violates privacy law by illegally sending user data to the US. More important than the fine is that Meta has to stop using the much-discussed standard contracts.
The fine is the highest ever handed out for a GDPR violation. Previously, the highest fine was for Amazon, which last year was fined 746 million euros. The fine for Meta comes from the Irish Data Protection Commission, the lead regulator in European investigations into Meta and many other major tech companies that have their headquarters in Dublin. Earlier there were rumors that Meta would be fined early this week, but it was not yet clear how high it would be.
The fine revolves around the much-discussed and controversial ‘standard contractual clauses’. Those SCCs are a holdover from the Privacy Shield treaty discontinuation. The European Court of Justice banned the one in 2020. Privacy Shield made it possible for tech companies to store data from European users in America, but according to the Court, America would not protect the data well enough. The only shortcut left after Privacy Shield was discontinued was standard contractual clauses. Through such ‘model contracts’, tech companies could claim that they had an agreement with a user for the transfer of data. For example, there would be a good reason to send data to the US.
Meta critics have always opposed those SCCs. Max Schrems, among others, has always strongly opposed it. The present case was also brought by him. The Irish regulator now not only issues a fine, but also prohibits Meta from transferring to America via SCCs. That puts a bomb under the business model of the company. Last year, Meta already with To stop Facebook and Instagram in Europe if the contracts were banned.
The decision will not take effect immediately. Meta will first receive a transition period of five months from the regulator. During that period, the company must find a new basis for collecting data from European users. This could be permission, for example. Meta has been working on that for a while now: earlier this year it changed the way it collected user data. That method is also controversial. Experts, including Schrems, think that this method of collection will also not be allowed by judges and regulators.
Meta says in a response that it wants to challenge the decision. The company wants to ask the court to stop the fine and the data issuance. “This is not about one company’s privacy practices – there is a fundamental legal conflict between US government rules and European privacy rights that policymakers expect will resolve in the summer,” says Meta.