Meta (formerly Facebook) has been slapped with a record-breaking fine of $1.3 billion (€1.2 billion) by EU data regulators and ordered to halt the transfer of Facebook user data from the EU to the US. The ruling was made by Ireland’s Data Protection Commission (DPC), stating that the current legal framework for such data transfers fails to address the risks posed to the fundamental rights and freedoms of EU users and violates GDPR. The fine surpasses the previous EU record set in 2021 when Amazon was fined €746 million for similar privacy violations.
Data transfers to the US are crucial for Meta’s extensive ad-targeting operations, which rely on processing vast amounts of personal data from users. Last year, Meta warned that it might have to consider shutting down Facebook and Instagram in the EU if it could not transfer data to the US, a statement that EU politicians perceived as a blatant threat. EU lawmaker Axel Voss responded, asserting that Meta cannot use blackmail to compromise EU data protection standards and that leaving the EU would ultimately be the company’s loss.
Previously, data transfers were safeguarded by the Privacy Shield, a transatlantic pact. However, this framework was invalidated in 2020 by the EU’s top court due to its failure to protect data from US surveillance programs. The ruling was a response to a claim by Austrian lawyer Max Schrems, whose legal battle against Facebook originated in 2013 with Edward Snowden’s revelations about US surveillance practices.
Although Meta has now been ordered to halt data transfers, there are several caveats that favor the US social media giant. Firstly, the ruling only applies to Facebook data, excluding other Meta entities like Instagram and WhatsApp. Secondly, there is a five-month grace period before Meta must cease future transfers and a six-month deadline to halt the storage of existing data in the US. Lastly, the EU and US are currently negotiating a new data transfer agreement, expected to be implemented between this summer and October.
Despite the hefty fine, experts doubt that it will bring about any fundamental changes in Meta’s privacy practices. Johnny Ryan from the Irish Council for Civil Liberties commented that a billion-euro penalty is inconsequential to a company that generates far more revenue by disregarding regulations. Max Schrems, on the other hand, expressed satisfaction with the decision, stating that the fine could have been even higher considering Meta’s deliberate violation of the law over a decade.
Meta responded to the fine by deeming it “unjustified and unnecessary” in a blog post written by Meta’s President for Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead. The company emphasized that it is one of “thousands” of firms employing similar legal frameworks for data transfers. Meta intends to appeal the decisions and seek a stay from the courts to pause implementation deadlines, citing the potential harm to the millions of people who use Facebook daily.
Schrems predicted that any legal appeal would likely be unsuccessful and suggested that the new EU-US data transfer protocol would face similar legal challenges as the current arrangement. He stated that unless US surveillance laws are rectified, Meta will probably have to store EU data within the EU.