The Meta at its headquarters in Menlo Park, California, United States on November 14, 2022.
Tayfun Coskun | Anadolu Agency | Getty Images
A top European Union data privacy regulator on Wednesday defended a decision to hit Meta with a record-setting 1.2 billion euro ($1.3 billion) fine, saying that she had to enforce the law based on existing regulations.
Helen Dixon, the Data Protection Commissioner for Ireland — the main regulator for Meta and several other big U.S. tech companies — said that the watchdog took the decision to account for the existing EU-U.S. data transfers framework that was in place.
“I have to enforce the law as it is at the time,” Dixon said Wednesday in an interview with CNBC’s “Worldwide Exchange.”
Meta on Monday was fined a record 1.2 billion euros ($1.3 billion) by the Irish Data Protection Commission for breaching the EU’s tough rules on data privacy, known as the General Data Protection Regulation.
GDPR is a landmark data protection regulation that governs firms in the bloc. It came into effect in May 2018. Since then, EU privacy regulators have hit major U.S. tech companies with some eye-watering fines, including an $887 million on Amazon in Luxembourg and a $267 million fine on WhatsApp in Ireland. Meta’s fine of Monday is the largest to date.
Several mechanisms to legally transfer personal data between the U.S. and the EU have been contested. The latest such iteration, Privacy Shield, was struck down by the European Court of Justice, the EU’s top court, in 2020.
The Irish Data Protection Commission that oversees Meta operations in the EU alleged the company infringed the bloc’s GDPR when it continued to send the personal data of European citizens to the U.S despite the 2020 European court ruling.
Ireland’s regulator also pronounced that Meta was not allowed to continue sharing data on Europeans with the U.S., in a potentially business-crippling decision that could force the firm to move all of its storage and processing of Europeans’ data locally in the EU.
EU and U.S. officials have been attempting to agree a framework to replace Privacy Shield, and there are reports that a substitute for the mechanism could be greenlit by the summer. According to Meta, this would have allowed the company to continue sharing data on EU citizens with its facilities in the U.S. as normal.
Asked why the regulator chose to take its decision now, when there is more regulation to come down the line, Dixon said, “The point is, it still hasn’t come into effect.”
She added, “This new agreement, called the European Data Privacy Framework, it’s still pending. And at the time I concluded my investigation last summer, it still wasn’t really on the horizon. So I had to enforce the law as it is at the time.”
Before Monday, Meta was most recently struck with a $414 million fine for separate GDPR breaches on its WhatsApp and Instagram apps in January. The Monday Meta fine is the largest to date since the EU’s GDPR came into force. Meta says it plans to appeal the decision and the fine.
– CNBC’s Arjun Kharpal contributed to this report