Facebook parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring personal data of its users to the United States.
A binding decision by the European Data Protection Board (EDPB) has ordered the social media giant to make data transfers compliant with the GDPR and delete data illegally stored and processed within six months. rice field.
In addition, Meta has five months to stop transferring Facebook user data to Instagram and WhatsApp in the United States, but Instagram and WhatsApp, which are also owned by the same company, have been given this order. not subject to
EDPB Chairman Andrea Jelinek said in a statement, “The EDPB has determined that the violation of Meta IE is very serious as it concerns systematic, repetitive and continuous transfers.” .
“Facebook has millions of users in Europe and the amount of personal data transferred is enormous. The unprecedented fines are a strong reminder to the organization of the far-reaching impact of a major breach. ”
European data protection authorities have repeatedly stressed that the United States lacks privacy protections equivalent to the GDPR, and that data belonging to Europeans being transmitted to servers located in the United States could be used by US intelligence agencies. may gain access to data belonging to Europeans.
The ruling came nearly a decade ago in June 2013, citing concerns that EU user data was not sufficiently protected from U.S. intelligence agencies when transferred across the Atlantic. It stems from a legal complaint filed by an Austrian privacy activist, Maximilian Schrems.
“The simplest solution would be to place reasonable limits on US surveillance law,” Schrems said. “There is an understanding on both sides of the Atlantic that surveillance requires good cause and judicial approval.
“It would be time to grant EU customers of US cloud providers these basic protections. there is a possibility.”
“Meta will rely on new contracts for future transfers, but this is likely not a permanent solution,” added Schrems. “My view is that there is probably a 10 percent chance that the new agreement will not be killed by the CJEU. Unless US surveillance laws are amended, Meta will probably have to store EU data in the EU.”
Mr Schrems also said the Irish Data Protection Commission (DPC) has consistently tried to block the proceedings and protect Meta from being fined and having to delete data that has already been transferred. accused of being Overturned by EDPB.
Meta responded that the fine was “unreasonable and unnecessary” and that there was a “fundamental conflict of law” between U.S. government regulations on data access and European privacy rights. announced its intention to appeal.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
“Without the ability to transfer data across borders, the Internet risks becoming national and regional silos, limiting the global economy and preventing citizens from different countries from accessing many of the shared services we rely on. It’s gone,” Meta’s Nick said. said Clegg and Jennifer Newsted.
The company warned last year that it could have to stop offering “many of our most important products and services” in the EU if it is ordered to suspend transfers to the United States. The new transatlantic data transfer agreement, which replaces the Privacy Shield, is expected to be signed later this year, according to The Wall Street Journal.
The fine is the largest ever imposed under the EU’s GDPR privacy law and compares to the €746 million ($886.6 million at the time) levied against Amazon in July 2021 for similar privacy breaches. outweigh the fines.
The development is also the third fine imposed by the DPC this year alone. In January, regulators fined Facebook and Instagram 390 million euros for mishandling user information to serve ads.
Two weeks later, the company forced users to “consent to the processing of personal data for service improvement and security” and “made the accessibility of the service conditional on users agreeing to updated terms”. was fined €5.5 million for violating data protection laws. Service of. “
