Meta, the parent company of Facebook, has been hit with a record-breaking fine of $1.3 billion (€1.2 billion) by EU data regulators and has been ordered to halt the transfer of Facebook user data from the EU to the US.
The decision comes as EU courts believe that such data transfers pose privacy risks to EU citizens, dating back to the revelations made by whistleblower Edward Snowden about US mass surveillance programs in 2013.
The ruling was issued by Ireland’s Data Protection Commission (DPC), stating that the current legal framework for data transfers to the US fails to adequately address the risks to the fundamental rights and freedoms of Facebook’s EU users, thereby violating the General Data Protection Regulation (GDPR). This fine surpasses the previous EU record set in 2021, with Amazon being fined €746 million for similar privacy violations.
Meta heavily relies on transferring data to the US for its extensive ad-targeting operations, which involve processing vast amounts of personal data from its users. Last year, Meta warned that it might consider shutting down Facebook and Instagram in the EU if it couldn’t transfer data to the US, a statement seen as a direct threat by EU politicians.
EU lawmaker Axel Voss responded by stating, “Meta cannot just blackmail the EU into giving up its data protection standards. Leaving the EU would be their loss.”
Previously, these data transfers were protected by the Privacy Shield, a transatlantic pact. However, the EU’s highest court invalidated this framework in 2020, ruling that it did not sufficiently safeguard data from being accessed by US surveillance programs. This decision stemmed from a claim filed by Austrian lawyer Max Schrems, who has been engaged in a legal battle against Facebook since 2013 and the original Snowden disclosures.
Although Meta has been ordered to cease these data transfers, there are certain conditions that favor the US social media giant. Firstly, the ruling only applies to data from Facebook and not to other Meta-owned companies like Instagram and WhatsApp. Secondly, there is a grace period of five months before Meta must halt future transfers and a six-month deadline to stop retaining existing data in the US. Finally, negotiations are underway between the EU and the US for a new data transfer agreement, which could be implemented as early as this summer or as late as October.
Despite the substantial fine, experts are skeptical about its impact on Meta’s privacy practices. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, remarked, “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally.”
On the other hand, Schrems, whose legal challenge in 2013 led to this ruling, expressed satisfaction with the decision, stating that the fine could have been much higher given Meta’s deliberate violation of the law for profit over the past decade.
Meta has described the fine as “unjustified and unnecessary” in a blog post penned by Meta’s president for global affairs, Nick Clegg, and the company’s chief legal officer, Jennifer Newstead. They emphasized that Meta is just one of “thousands” of companies utilizing similar legal frameworks for data transfers and stated their intention to appeal the decisions and seek a stay from the courts to pause the implementation deadlines, citing the harm it would cause to millions of Facebook users.
Schrems predicts that Meta’s challenges are far from over. He believes that any legal appeal by the company will be unsuccessful, and even the forthcoming EU-US data transfer protocol will fail to satisfy the EU’s privacy regulations in court.
Schrems concludes that unless US surveillance laws are rectified, Meta will likely have to store EU data within the EU, relying on the new agreement for future transfers but recognizing it as an insufficient long-term solution.