Facebook owner Meta has been fined a record 1.2 billion euros ($1.3 billion) by the Irish Data Protection Commission, or DPC, on behalf of the European Union for illegally transferring EU user data to the United States.
The decision announced on Monday is the biggest fine under the EU's General Data Protection Regulation, a data protection and privacy law commonly known as the GDPR.
The DPC said it has been investigating Meta Ireland's transfer of user data from the EU to the US since 2020 and found that Meta, with its European head office in Dublin, failed to "address the risks to the fundamental rights and freedoms of data subjects "that were identified in a ruling in 2020 by the Court of Justice of the EU, or CJEU.
Andrea Jelinek, head of the European Data Protection Board, said the EDPB found that Meta's infringement is "very serious since it concerns transfers that are systematic, repetitive and continuous".
She said Facebook has millions of users in Europe, so the volume of personal data transferred is massive.
"The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences," Jelinek said in a statement.
Meta has also been ordered on Monday to cease the processing of personal data of European users in the US within six months.
Meta said it will appeal the ruling, including the "unjustified and unnecessary fine".
Meta executives said there is no immediate disruption to Facebook in Europe.
In a response posted online by Meta's global affairs president Nick Clegg and chief legal officer Jennifer Newstead, Meta hopes to see the US and EU adopt a new legal framework for the use of personal data in the coming months, following an agreement in principle last year, which could allow it to continue its data transfer practices.
"This decision is fl awed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and the US," they said in a statement.
Max Schrems, the Austrian privacy activist whose decadelong case against Facebook led to Monday's penalty on Meta, applauded the decision.
The European Center for Digital Rights that he founded said on Monday that ever since Edward Snowden's revelation of US Big Tech aiding the National Security Agency's mass surveillance apparatus, Facebook was subject to litigation in Ireland.
It said that for 10 years, Meta has not taken any material precaution, but simply ignored the CJEU and the EDPB. Now, Meta does not only have to pay a record fine of 1.2 billion euros, but must also return all personal data to its EU data centers.
"We are happy to see this decision after 10 years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for 10 years," Schrems said.