Meta Platforms Inc. has been fined €1.2 billion in the European Union for transferring local users’ information to its U.S. data centers.

The penalty was issued today by the Irish Data Protection Authority, which oversees Meta’s privacy practices in the EU. The company’s regional headquarters are based in Ireland. In addition to fining Meta, regulators have ordered the social network to stop transferring users’ data to the U.S. and delete information it had sent previously.

Meta stated following the ruling this morning that there will be no “immediate disruption” to the availability of Facebook in the EU.  The company added that it plans to file an appeal.

Meta is one of many U.S. companies that send information from the EU to their stateside data centers for processing. Until a few years ago, such commercial data transfers were permitted under an agreement called Privacy Shield. In 2020, the EU’s top court struck down the agreement.

The court permitted companies to continue sending data using a legal instrument called a standard contractual clause, or SCC. However, new requirements were attached to the use of SCCs. Companies must ensure that the EU users whose data they transfer outside the bloc receive a level of privacy protection “essentially equivalent to that provided by EU law.”

The bloc’s privacy regulators have determined that Meta had failed to meet that requirement. In particular, the concern is that the information the company sends to its stateside data centers could be subject to surveillance by U.S. intelligence agencies. Regulators have determined that Meta’s data transfer practices amount to a breach of the EU’s GDPR privacy regulations.  

“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said Andrea Jelinek, chair of the European Data Protection Board. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive.”

Under today’s ruling, Meta must not only pay a €1.2 fine but also bring its data practices into compliance with EU privacy rules. The company has been ordered to halt the transfer of users’ data to the U.S. within six months. It must furthermore delete information that was sent previously and is currently stored at its stateside data centers.

Whether the latter two parts of the ruling will come into effect is not yet certain. Last year, the U.S. and EU signed a preliminary agreement that would allow companies such as Meta to continue sending user information to their stateside data centers. However, the deal has not yet been implemented.

The agreement is expected to be finalized sometime between July and October. That means it could be signed before the deadline for Meta to halt data transfers and delete previously sent information. But though Meta may eventually not be required to change its data transfer practices, it will reportedly still have to pay the €1.2 billion fine.

“There is no immediate disruption to Facebook because the decision includes implementation periods that run until later this year,” Meta Global Affairs President Nick Clegg and Chief Legal Officer Jennifer Newstead wrote in a blog post. “We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.”

Photo: Unsplash