Meta was fined a record 1.2 billion euros ($1.3 billion) on Monday and ordered to stop transferring data collected from European Facebook users to the U.S. in a major blow to the social media company for breaching EU data protection rules. ruling.
The penalty announced by the Irish Data Protection Commission is likely to be one of the heaviest in the five years since the EU enacted its landmark data privacy law, the General Data Protection Regulation. The regulator said the company failed to comply with a 2020 ruling by the European Union’s top court that Facebook data transported across the Atlantic was not adequately protected by U.S. spy agencies.
But it was unclear if or when Meta would need to block the data of European Facebook users. Meta said it would appeal the decision, setting up a potentially lengthy legal process.
Meanwhile, EU and US officials A new data-sharing agreement is being negotiated that would give Meta and many other companies legal protection to continue moving information between the US and Europe – a deal that could invalidate much of the EU’s ruling on Monday. A preliminary agreement was announced last year.
The ruling, which has a grace period of at least five months before Meta needs to comply, applies only to Facebook, not to Instagram and WhatsApp, which Meta also owns. The company said it would not immediately interrupt Facebook’s services in the EU.
Still, the EU’s decision shows how government policy can upend the way data has traditionally moved without borders. Due to data protection rules, national security laws, and other regulations, more and more companies are being forced to store data within the country where it was collected, rather than allowing it to move freely to data centers around the world.
The case against Meta stems from U.S. policy that gives intelligence agencies the ability to intercept communications, including digital ones, from abroad. In 2020, Austrian privacy activist Max Schrems won a lawsuit to invalidate an agreement between the U.S. and the European Union known as “Privacy Shield,” which allows Facebook and other companies to Move data between two regions. The risk of U.S. snooping violates the fundamental rights of European users, the European Court of Justice said.
“Unless U.S. surveillance laws are fixed, Meta will have to fundamentally restructure its systems,” Schrems said in a statement on Monday. The solution, he said, could be a “federated social network” in which most personal data would remain in the EU, except for “essential” transfers, such as when a European sends a direct message to someone in the US.
On Monday, Meta said it had been unfairly singled out because of data-sharing practices used by thousands of companies.
“Without the ability to transfer data across borders, the Internet risks fragmenting into national and regional silos, constraining the global economy and denying citizens of different countries access to many of the shared services we depend on,” said Jennifer G. Newstead, president of global affairs at Nick Clegg Meta and Jennifer G. Newstead, the company’s chief legal officer, said in a statement.
this ruling, a record fine under the General Data Protection Regulation (GDPR) that could affect Meta’s stored data related to photos, friendships, and direct messages. It has the potential to hurt Facebook’s business in Europe, especially if it hurts the company’s ability to target ads. Last month, Meta’s chief financial officer, Susan Li, told investors that 10% of its global ad revenue comes from ads served to Facebook users in EU countries. In 2022, Meta has Nearly $117 billion in revenue.
Meta and others are counting on a new data agreement between the US and EU to replace a deal that was declared invalid by the European Court of Justice in 2020. The outlines of a Brussels deal were announced last year by President Biden and European Commission President Ursula von der Leyen, but details are still being negotiated.
The ruling against Meta shows the legal risks companies face as they continue to move data between the EU and the US if no deal is reached.
Johnny Ryan, a senior fellow at the Irish Civil Liberties Commission, said Meta faced the prospect of having to delete vast amounts of data on EU Facebook users. Given the interconnected nature of Internet companies, this presents technical difficulties.
“It’s hard to imagine how it could comply with that order,” said Mr Ryan, who has been pushing for stronger data protection policies.
The decision against Meta coincides almost with the fifth anniversary of the GDPR. Many civil society groups and privacy activists were initially seen as a model for data privacy law, but say it has fallen short of its promise due to a lack of enforcement.
Much of the criticism has centered on a provision that requires regulators in the country where a company has its EU headquarters to enforce far-reaching privacy laws. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, has received the most scrutiny.
On Monday, Irish authorities said they were overruled by a committee made up of representatives of EU countries. The board insisted on a fine of 1.2 billion euros and forced Meta to dispose of data collected about users in the past, which could include deletion.
“The unprecedented fine sends a strong signal to organizations that serious violations have far-reaching consequences,” said Andrea Jelinek, head of the European Data Protection Board, the EU body that sets the fines.
Meta is often targeted by regulators under the GDPR. In January, the company was fined 390 million euros for forcing users to accept personalized ads as a condition of using Facebook. In November, it was fined another 265 million euros for a data breach.
