At a pivotal moment for international data traffic, the EU fined Meta a record €1.2 billion for data breaches.
The penalty is the highest ever imposed for violating the GDPR, which was put in place to protect personal data. According to EU regulators, Meta broke the rules by transferring user data from the block to the US for processing.
The Facebook owner made these transfers on It is based on Standard Contractual Clauses (SCC) that regulate the flow of personal data. However, an EU investigation found that SCCs do not provide sufficient protection from US surveillance.
Andrea Jelinek, Chair of the European Data Protection Board, described the violation as “very serious” because the transmissions were systematic, repeated and continuous.
“Facebook has millions of users in Europe, so the amount of personal data transferred is enormous,” she said. “The unprecedented fine is a strong signal to organizations that serious violations have far-reaching consequences.”
Meta called the fine “unjustified and unnecessary” and announced that it would appeal the verdict.
The intrusion could prove crucial for data transfers more broadly. Lawmakers in the EU and US are developing a new transatlantic data protection framework that would clarify the requirements for the cross-border transfer of information.
Nick Clegg, Meta’s head of global affairs, said the new ruling ignored progress on the matter. He called it “a dangerous precedent” for data transfers that threatens the very foundations of an open internet.
“Without the ability to move data across borders, there is a risk that the internet will become divided into national and regional silos, constraining the global economy and denying citizens in different countries access to many of the common services we have come to expect rely on,” Clegg said.
Of course, Clegg has a vested interest in making it easier for data to flow into the US, but he’s not alone in calling for the eradication of digital borders. According to Janine Regan, legal director for privacy at law firm Charles Russell Speechlys, there is political consensus on both sides of the Atlantic to resolve the issue.
“It is likely that an alternative transfer mechanism will be ready by the summer Meta “We don’t have to suspend transatlantic remittances entirely, but that will be no consolation for a company facing such a record-breaking fine,” she said.
Dangerous times for data breaches
The new ruling also serves as a warning to other companies that transfer data. Chris Linnell, senior privacy advisor at cybersecurity firm Bridewell, called it “a stark reminder” that SSCs alone don’t adequately protect personal information.
He recommended that all organizations conduct a transmission risk assessment when processing personal data outside the EU. In addition, he recommends regular and ongoing reviews of compliance and potential risks for data subjects.
“Ultimately, contracts in place between the parties will not provide protection when receiving organizations must comply with their own legal obligations under national surveillance laws such as FISA in the United States,” Linnel said.