Meta Privacy Infringement Over EU/US User Data Transfers Leads to Record $1.3 Billion Fine

Share article
twitter linkedin medium facebook

European Data Protection Board Imposes Historic Fine on Meta for Transferring EU/US User Data, Igniting Privacy Debate

We have been saying for some time that the consequences of unauthorized data transfers can be incredibly serious, and now we can put a figure on it! The European Data Protection Board has handed a record $1.3 billion fine to Meta after a three-year investigation by Ireland’s Data Protection Commission (DPC) found that the company had violated European GDPR rules by transferring Facebook user data to the States. The privacy body ordered Meta Ireland to halt data transfers to the US for five months and imposed the enormous fine to penalize the infringement.

Meta Privacy: History of Infringement

The DPC has regulatory jurisdiction in the Meta privacy case because the company’s European headquarters are in Dublin. It’s unfortunate for Meta that the DPC was set to impose a more lenient fine, but the other members of the 27-nation European Data Protection Board overruled it.

Meta has criticized the fine, calling it “unjustified,” and no doubt feels somewhat aggrieved, because, as they put it, “No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.”

It may be a fair point, but it is unlikely to make any difference to what is only the latest round in a decade-long struggle. It stems from a process that began way back in 2013 when former National Security Agency contractor Edward Snowden exposed the extent of US authorities’ surveillance activities. As the Reuters news agency reported, this prompted an Austrian privacy activist to launch legal action over potential US intelligence-gathering activities in Europe, and much attention has been directed toward the US ever since.

Meta Privacy Violations: Systematic, Repetitive and Continuous

The last hefty fine for a Meta privacy violation followed a DPC investigation in 2021. It demanded €265m from Meta after finding that data from 533 million people in 106 countries had been scraped from Facebook and posted on a hackers’ forum.  

Andrea Jelinek, who chairs the European Data Protection Board (EDPB), called this latest Meta privacy infringement, “…very serious since it concerns transfers that are systematic, repetitive and continuous.”

Jelinek noted that Facebook’s millions of users in Europe meant that the amount of personal data involved was huge, and said the fine was intended to warn organizations away from serious infringements.  

Meta has been ordered to comply with European privacy law by ceasing data transfers of EU users to the United States within five months and stopping the storage of European citizens’ personal data in the US, which previously violated EU privacy regulations.


Meta plans to appeal the ruling, claiming that the disparity between US and European privacy regulations is concerning. It argues that restricted data transfers would hinder citizens’ access to essential shared services and will impede the global economy.

There’s no doubt that the EDPB means business, so while Meta may have deep pockets, do you? If you have Meta privacy concerns, remember—Reflectiz protects. Get in touch today and discover how we can help you gain clear visibility and control of where your users’ data goes before it costs you.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free