Meta has been hit with a formal suspension order by the European Data Protection Board (EDPB), requiring it to halt the export of European Union (EU) user data to the US for processing. This move comes after Meta was fined €1.2 billion (approximately $1.3 billion), marking the largest penalty ever issued under the EU’s General Data Protection Regulation (GDPR). The previous record fine was imposed on Amazon in 2021 for misusing customer data for targeted advertising.
The EDPB found Meta in breach of the GDPR for transferring personal data to the US without ensuring adequate safeguards for individuals’ information. The European courts have previously determined that US surveillance practices conflict with EU privacy rights.
Meta quickly responded to the suspension order, stating that it will appeal the decision, considering the fine “unjustified and unnecessary.” The company attributed the issue to a conflict between EU and US law, rather than its own privacy practices. Meta plans to seek a stay from the courts to pause the implementation deadlines, emphasizing the potential harm to the millions of users who rely on Facebook daily.
The Irish Data Protection Commission (DPC), responsible for enforcing the EDPB’s decision, has not provided an official comment yet. However, the DPC’s final decision will play a crucial role in the implementation of the suspension order.
The Irish regulator’s under-enforcement of GDPR against major tech platforms has been a subject of criticism. Privacy campaigner Max Schrems, who filed the complaint against Facebook’s Irish subsidiary nearly a decade ago, argues that the US must reform its surveillance practices to resolve the issue of data transfers between the EU and the US.
While the suspension order provides a transition period of approximately six months, during which Meta can continue operating, the company will appeal and seek to leverage the ongoing negotiations between the EU and the US to resolve the data transfer arrangement. The adoption of a new transatlantic data framework is expected to provide an alternative solution, allowing Meta to avoid suspending its services in the EU.
Nonetheless, challenges to the new transatlantic data transfer deal are anticipated, potentially leaving Meta and other US companies reliant on data exports vulnerable to further legal scrutiny. The case highlights the complexities of regulating tech giants and raises questions about the enforceability of European citizens’ rights under the GDPR.