In a groundbreaking move, the European Union has imposed a record-breaking fine of $1.3 billion on Meta for privacy infringements and ordered it to discontinue transferring European users’ data to the US by October. This order constitutes the latest development in a decade-long case spurred by concerns over US cyber surveillance.
The fine, which equates to 1.2 billion euros, is the highest since introducing the EU’s stringent data privacy regulation five years prior, superseding Amazon’s 746 million euro penalty in 2021 for data protection violations.
Despite the prior warning that its services to European users might be discontinued, Meta pledged to contest the decision and seek an immediate suspension from the courts. The company assured that there would be “no immediate disruption to Facebook in Europe.” The order pertains to user data such as names, email and IP addresses, messages, browsing history, location data, and other information that Meta and other tech companies, such as Google, utilize for targeted online advertisements.
Nick Clegg, Meta’s president of global affairs, and chief legal officer Jennifer Newstead called the decision “flawed, unjustified” and setting a “dangerous precedent” for numerous other companies transferring data between the EU and the US.
The dispute has its roots in 2013, when Austrian lawyer and privacy activist Max Schrems voiced concerns over Facebook’s data handling practices following Edward Snowden’s exposure of electronic eavesdropping by US security agencies, including Facebook’s compliance in sharing European citizens’ data with these agencies.
The disagreement underscores the clash between US and EU perspectives on data privacy, with Europe taking a more stringent approach than the less rigorous US privacy regulations, which lack a federal privacy law.
The EU’s highest court invalidated an agreement regarding EU-US data transfers, known as the Privacy Shield in 2020, citing insufficient protection against US government electronic surveillance. The decision on Monday confirmed that another data transfer regulation tool – standard legal contracts – was also inadequate.
Though a renewed Privacy Shield deal, potentially usable by Meta, was signed between Brussels and Washington last year, European officials still approve whether it adequately upholds data privacy.
Ireland’s Data Protection Commission administered the fine, the leading privacy regulator for Meta in the EU, due to the tech company’s European headquarters in Dublin.
Meta was given a five-month ultimatum by the Irish regulator to stop transferring European user data to the US and a six-month timeline to achieve compliance with the bloc’s privacy rules. This would involve ending the “unlawful processing, including storage, in the US” of European users’ data transferred, violating the EU’s privacy rules.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, said this data erasure could pose more of a challenge for Meta than the financial penalty. “If the company has to scrub data for hundreds of millions of European Union users going back 10 years, it is tough to see how it will be able to comply with that order.”
However, if a new transatlantic privacy agreement comes into effect before the set deadlines, Meta assured that services could continue without disruption.
Schrems said Meta has “no real chance” of substantially overturning the decision. He also suggested that a new privacy agreement might not necessarily resolve Meta’s issues due to the likelihood of being invalidated by the EU’s top court.
Schrems proposed a potential resolution: a “federated” social network where European data remains in Meta’s data centers in Europe “unless users, for example, chat with a U.S. friend.”
In its latest earnings report, Meta cautioned that without a lawful basis for data transfers, it could be compelled to halt offering its products and services in Europe, significantly impacting its operations.
Should Meta be ultimately obligated to halt data transfers, the social media giant might have to undertake a costly and complex overhaul of its operations. Meta operates 21 data centers as listed on its website, with 17 located in the United States and only three in Europe (Denmark, Ireland, and Sweden), with the remaining one in Singapore.
Other social media behemoths are also under scrutiny for their data-handling practices. TikTok has embarked on a $1.5 billion initiative to store US user data on Oracle servers to assuage Western concerns regarding potential cybersecurity threats.
The record-breaking fine against Meta signals the European Union’s continued commitment to maintaining stringent data privacy regulations. As concerns over data transfer practices between the EU and the US persist, this ruling might inspire further examinations of data management policies by tech giants. Companies worldwide will likely watch the unfolding legal developments closely, as they may set significant precedents in global data privacy regulation.
