Facebook’s parent company, Meta, has been hit with a massive fine of €1.2 billion ($1.3 billion) by Ireland’s Data Protection Commission (DPC) for violating the European Union’s General Data Protection Regulation (GDPR) and ordered to suspend the transfer of user data from the EU to the US. The fine is the largest ever imposed for a breach of GDPR. The previous record GDPR fine was imposed on Amazon by Luxembourg in 2021, amounting to €746 million.

The DPC’s punishment comes in response to a legal challenge brought by Austrian privacy campaigner Max Schrems, who raised concerns about the lack of protection for European users’ data when transferred to the US, particularly in light of the Edward Snowden revelations.

Meta has been given five months to implement the suspension of Facebook data transfers, and it also has six months to cease the unlawful processing and storage of personal EU data already transferred to the US. This means that user data will need to be removed from Facebook servers. However, the ruling does not affect data transfers on Meta’s other platforms, Instagram and WhatsApp. 

The DPC stated that Meta violated GDPR by continuing to transfer EU user data to the US without adequate safeguards for the subjects’ fundamental rights and freedoms, despite a 2020 ruling by the European Court of Justice that called for robust protection of such information. 

The European Commission expressed hope for a new framework for transatlantic data transfers that would provide stability and legal certainty for US tech companies by summer. Once the new data regime is agreed upon and implemented, Facebook may resume data transfers.

Meta expressed disappointment at being singled out by the DPC, arguing that it uses the same legal mechanism as thousands of other companies operating in Europe. It plans to appeal the decision and seek a stay on the data transfer order. Legal experts believe that an appeal by Meta is unlikely to overturn the decision entirely.