Facebook owner Meta has been fined 1.2 billion euro (£1 billion) and was ordered to stop transferring user data from European users to its US servers.
The record fine was levied by Ireland’s Data Protection Commission (DPC) after a three-year probe into the social media giant.
The DPC said that Meta had breached part of the European GDPR (General Data Protection Regulation) rules in the way that it had moved data of Facebook users across borders.
It ordered Meta Ireland to “suspend any future transfer of personal data to the US within the period of five months” and also levied a record fine on the business “to sanction the infringement that was found to have occurred”. Meta called the fine “unjustified”.
The multi-year process which led to the fine was kicked off by Edward Snowden in 2013 when the National Security Agency (NSA) whistleblower revealed that US authorities were surveilling systems run by several US companies.
Companies had long been allowed to transfer EU customers’ data to the US to help them run their business, but only on a promise that they were protecting this data as well as if it was being stored in the EU.
But the Snowden revelations put a question mark over the whole system.
They sparked a request for the DPC to investigate how Facebook data was shared across continents.
The DPC originally refused, thinking that the complaint was not sustainable, but was overruled years later by the Court of Justice of the European Union.
But Meta said that the issue was larger than simply the practices of one company. The US and EU rules are in “fundamental conflict”, the company said on Monday.
“It is a conflict that neither Meta nor any other business could resolve on its own.
They said there was not going to be any immediate disruption to Facebook, and that Meta would appeal against the decision.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” Sir Nick and Ms Newstead said.
They criticised the European Data Protection Board for overruling the DPC’s initial decision that a fine was unjustified because Meta had acted in good faith.
Policymakers on both sides of the Atlantic are currently scrambling to find a new agreement on how data can be shared across borders.
If this is put in place before Meta’s deadline to stop using the current system there will be no disruption to Facebook, Sir Nick and Ms Newstead said.
They added: “No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.”