Facebook is to be fined more than €746m (£648m) and ordered to suspend data transfers to the US as an Irish regulator prepares to punish the social media network for its handling of user information.
The fine, first reported by Bloomberg and expected to be confirmed as soon as Monday, will set a record for a breach of the EU’s general data protection regulation (GDPR), beating the €746m levied on Amazon by Luxembourg in 2021.
The decision by Ireland’s Data Protection Commission, which is the lead privacy regulator for Facebook and its owner Meta across the EU, is also expected to pause transfers of data from Facebook’s European users to the US.
The ruling is unlikely to take effect immediately. Meta is expected to be given a grace period to comply with the decision, which could push any suspension into the autumn, and the company is expected to appeal against the decision.
The ruling relates to a legal challenge brought by an Austrian privacy campaigner, Max Schrems, over concerns resulting from the Edward Snowden revelations that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across the Atlantic.
Writing in 2020, Meta’s policy chief, Nick Clegg, said suspending data transfers on the basis of standard contractual clauses (SCCs) – a mechanism used by Facebook and others – could have “a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on”.
In Meta’s most recent quarterly results, the company said that without SCCs or “other alternative means of data transfers” it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe”.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties and a campaigner for stronger protection of internet users’ data, said a financial punishment exceeding €746m would not be enough if Facebook did not fundamentally change its user data-reliant business model.
“A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally,” he said.
The Irish data watchdog has fined Meta, which also owns Instagram and WhatsApp, a total of nearly €1bn since September 2021. It also regulates Apple, Google, TikTok and other technology platforms whose EU headquarters are in Ireland.
In November last year, Meta was fined €265m (£230m) by the watchdog after a breach that resulted in the details of more than 500 million users being published online.
That came weeks after a €405m fine for letting teenagers set up Instagram accounts that publicly displayed their phone numbers and email addresses.
Any suspension would be rendered meaningless if the US and EU implement a new data transfer agreement, which has been agreed at a political level.
A Meta spokesperson said: “This case relates to a historic conflict of EU and US law, which is in the process of being resolved via the new EU-US Data Privacy Framework. We welcome the progress that policymakers have made towards ensuring the continued transfer of data across borders and await the regulator’s final decision on this matter.”
The latest problems for Meta emerged after the group reported better-than-expected first-quarter revenue last month of $28bn.
Meta, which owns Instagram, Facebook and WhatsApp, has been attempting to shift away from social media and develop the metaverse – its virtual reality program. The billions spent on those efforts caused concern among investors as Meta has also struggled to compete with the rise of TikTok, which has proved particularly popular among younger people.
The company, meanwhile, has made mass layoffs as part of a planned “year of efficiency” that its founder, Mark Zuckerberg, announced in February.
Facebook to be fined £648m for mishandling user information