Facebook’s parent company, Meta, has been fined €1.2 billion (£1 billion) for mishandling people’s data when transferring it between Europe and the United States.
Issued by Ireland’s Data Protection Commission, it is the largest fine imposed under the EU’s General Data Protection Regulation privacy law.
GDPR rules require companies to seek people’s consent before using their personal data.
Meta says it will appeal against the “unjustified and unnecessary” ruling.
At the crux of this decision is the use of Standard Contractual Clauses to move EU data to the US.
These legal contracts, prepared by the European Commission, contain safeguards to ensure personal data continues to be protected when transferred outside Europe.
But there are concerns that these data flows still expose Europeans to the US’s weaker privacy laws – and US intelligence could access the data.
Most large companies have complex webs of data transfers – which can include email addresses, phone numbers, and financial information -to overseas recipients, many of which depend on SCCs.
And Meta says their broad use makes the fine unfair.
Facebook president Nick Clegg said, “We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.
“This decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and the US.”