Meta has been hit with a record $1.3 billion (€1.2 billion) fine by EU data regulators and ordered to stop transferring EU citizens’ Facebook data to the US. EU courts believe such data transfers expose EU citizens to privacy violations – a complaint dating back to 2013 and revelations by whistleblower Edward Snowden about US mass surveillance programs.
The ruling was made by Ireland’s Data Protection Commission (DPC), which said the current legal framework for data transfers to the US “does not address the risks to the fundamental rights and freedoms of Facebook’s EU users and is in breach of the GDPR. The fine surpasses the previous EU record of €746 million imposed against Amazon in 2021 for similar privacy violations.
Transferring data to the US is critical to Meta’s extensive ad-targeting operation, which relies on processing multiple streams of personal data from its users. Last year, Meta said it should consider shutting down Facebook and Instagram in the EU, it was unable to send data back to the US; a warning that EU politicians saw as a clear threat. “Meta can’t just blackmail the EU into giving up its data protection standards,” replied EU legislator Axel Voss to the news. “Leaving the EU would be their loss.”
Previously, these data transfers were protected by a transatlantic pact known as the Privacy Shield. But this framework was invalidated in 2020 after the EU’s highest court found that it failed to protect data from being scrapped by US surveillance programs. The ruling was made in response to a claim by Austrian lawyer Max Schrems, whose legal battle against Facebook dates back to 2013, and Snowden’s original revelations about US surveillance.
While Meta has now been ordered to stop these data transfers, there are a number of caveats that benefit the US social media giant. First, the ruling only applies to data from Facebook, not to other meta companies such as Instagram and WhatsApp. Second, there’s a five-month grace period before Meta must stop future transfers, and a six-month deadline to stop retaining current data in the US. Third, and most importantly, the EU and the US are currently negotiating a new deal to transfer data that could be available as early as this summer and as late as October.
Despite the record size of the fine, experts doubt it will fundamentally change Meta’s privacy practices. “A parking fine of a billion euros will not affect a company that makes many more billions from illegal parking,” said Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. The protector this weekend.
Others were more triumphant. “We are pleased with this decision after 10 years of litigation,” Schrems, whose 2013 legal challenge is the origin of today’s ruling, said in a press release. “The fine could have been much higher, as the maximum fine is over 4 billion and Meta knowingly broke the law to make a profit for ten years.”
Meta itself described the fine as “unjustified and unnecessary” in a blog post written by Meta’s president of global affairs, Nick Clegg, and the company’s chief legal officer, Jennifer Newstead. The company stressed that it is just one of “thousands” of companies using similar legal frameworks to transfer data.
“We are appealing these decisions and will immediately seek a stay in the courts that can pause implementation deadlines given the harm these orders would cause, including to the millions of people who use Facebook every day,” Clegg and Newstead write.
Schrems predicts that any legal appeal against the decision will be unsuccessful. He also suggested that the new EU-US data transfer protocol will be just as vulnerable to legal challenge as the current arrangement. “Meta intends to rely on the new deal for transfers going forward, but this is unlikely to be a permanent solution,” said Schrems. “Unless U.S. surveillance laws are resolved, Meta will likely have to keep EU data in the EU.”
Update, Monday, May 22, 5:26 AM ET: Story updated with more details from the DPC ruling and response from Max Schrems and Meta.