The Irish Data Protection Commission (DPC) in Dublin, where Facebook’s parent company Meta has its European headquarters, has imposed a record fine of €1.2 billion on the internet giant. This decision follows a long-standing dispute over the handling of user data and its inadequate protection by Meta. Currently, data is being transferred from Europe to the United States, where US intelligence agencies can access and use the data without significant legal barriers. This practice and the insufficient protection of sensitive user data are known to violate the European General Data Protection Regulation (GDPR).
This record penalty adds to a series of high fines for GDPR violations in recent years and could have been even higher for Meta. In 2021, Amazon was fined €746 million for a similar violation. Facebook’s parent company, Meta, now appears six times in the top 10 list of the highest GDPR fines. Privacy activist Maximilian Schrems was quoted as saying, “The maximum penalty is over four billion, and Meta has knowingly violated the GDPR for ten years to make a profit.” The decision followed a long bureaucratic struggle among European data protection authorities, who no longer wanted to turn a blind eye to the practices of major internet businesses.
However, the new record fine also highlights a legal dilemma: Ultimately, it is US security laws that allow US intelligence agencies to demand user data from businesses without sufficient legal restrictions and exploit it for intelligence purposes. If Meta wants to prevent data from being transferred to the US and used by intelligence agencies, it will likely have to fundamentally restructure its systems. For now, Meta has announced that it will challenge the decision.
We will keep you informed of further developments on this issue.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)