EU data regulators have fined Meta a record $1.3 billion (1.2 billion euros) and ordered it to stop transferring EU citizens’ Facebook data to the US. EU courts believe that such data transfers expose EU citizens to privacy breaches, a complaint dating back to 2013 and whistleblower Edward Snowden’s revelations about US mass surveillance programs.
The decision was made by the Irish Data Protection Commission (DPC), which said the current legal framework for data transfers to the US “did not address the risks to the fundamental rights and freedoms” of users. from Facebook’s EU and violated the GDPR. The fine surpasses the previous EU record of 746 million euros imposed on Amazon in 2021 for similar privacy violations.
Data transfer to the US is central to Meta’s extensive ad targeting operation, which relies on processing multiple streams of its users’ personal data. Last year, Meta said that it would be forced to consider closing Facebook and Instagram in the EU were unable to send data to the US; a warning that EU politicians saw as an obvious threat. “Meta cannot simply blackmail the EU into waiving its data protection standards,” answered EU lawmaker Axel Voss to the news. “Leaving the EU would be their loss.”
Previously, these data transfers were protected by a transatlantic pact known as the Privacy Shield. But this framework was declared invalid in 2020 after the EU supreme court found that it did not protect data from being extracted by US surveillance programs. This ruling was given in response to a claim by the Austrian lawyer Max Schrems, whose legal battle against Facebook dates back to 2013 and Snowden’s original revelations about US surveillance.
Although Meta has now been ordered to stop these data transfers, there are a number of caveats that benefit the American social media giant. First, the ruling only applies to Facebook data, not other Meta companies like Instagram and WhatsApp. Second, there is a five-month grace period before Meta must stop further transfers and a six-month deadline to stop storing current data in the US. Third, and most importantly, the EU and The US are currently negotiating a new try to transfer data which could be in place as soon as this summer and as late as October.
Despite the record size of the fine, experts expressed doubt that it would change anything fundamental about Meta’s privacy practices. “A €1 billion parking ticket has no consequences for a company that makes many more billions from illegal parking,” said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties. said The Guardian this weekend.
Others were more triumphant. “We are happy to see this decision after ten years of litigation,” said Schrems, whose 2013 legal challenge is the source of today’s ruling, in a Press release. “The fine could have been much higher, given that the maximum fine is over $4 billion and Meta has knowingly broken the law for profit for ten years.”
Meta himself described the fine as “unjustified and unnecessary” in a blog post written by Meta’s president of global affairs, Nick Clegg, and the company’s chief legal officer, Jennifer Newstead. The company stressed that it is just one of “thousands” of companies using similar legal frameworks to transfer data.
“We are appealing these decisions and will immediately seek a stay in the courts, who may pause implementation timelines, given the harm these orders would cause, including to the millions of people who use Facebook every day,” Clegg and Newstead write.
Schrems predicts that any legal appeal of the decision will be unsuccessful. He also suggested that the new EU-US data transfer protocol. The US will be just as vulnerable to legal challenges as the current deal. “Meta plans to rely on the new deal for future transfers, but this is likely not going to be a permanent solution,” Schrems said. “Unless US surveillance laws are fixed, Meta will probably have to keep EU data in the EU.”
Update, Monday May 22, 05:26 am ET: Updated story to add more details of the DPC failure and the reaction of Max Schrems and Meta.
