Meta was fined a record €1.2 billion ($1.3 billion) on Monday and ordered to stop transferring data collected from Facebook users in Europe to the United States, in a decision important against the social media company for violating European Union data protection rules.
The penalty, announced by Ireland’s Data Protection Commission, is potentially one of the biggest in the five years since the European Union enacted the landmark data privacy law known as the General Data Protection Regulation. Regulators said the company failed to comply with a 2020 ruling by the European Union’s highest court that Facebook data sent across the Atlantic was not sufficiently protected from US spy agencies.
But it remains unclear if or when Meta will need to isolate data from Facebook users in Europe. Meta said it would appeal the ruling, setting up a potentially lengthy legal process.
At the same time, European Union and US authorities are negotiating a new data-sharing pact that would provide legal protection for Meta and dozens of other companies to continue transferring information between the United States and Europe – a pact that could nullify much of the European Union. Union decision on Monday. A preliminary agreement was announced last year.
The ruling, which comes with a grace period of at least five months before Meta needs to comply, only applies to Facebook and not Instagram and WhatsApp, which Meta also owns. The company said there will be no immediate disruption to Facebook’s service in the European Union.
Still, the EU decision shows how government policies are disrupting the borderless way that data traditionally travels. As a result of data protection rules, national security laws and other regulations, companies are under increasing pressure to store data within the country where it is collected, rather than allowing it to move freely to data centers around the world. world.
The case against Meta stems from US policies that give intelligence agencies the ability to intercept communications from abroad, including digital correspondence. In 2020, an Austrian privacy activist, Max Schrems, won a lawsuit to invalidate a US-EU pact, known as the Privacy Shield, which allowed Facebook and other companies to move data between the two regions. The European Court of Justice said the risk of US spying violated the fundamental rights of European users.
“Unless US surveillance laws are fixed, Meta will have to fundamentally restructure its systems,” Schrems said in a statement on Monday. The solution, he said, is likely a “federated social network” in which most personal data would remain in the European Union, except for “necessary” transfers, such as when a European sends a direct message to someone in the United States.
On Monday, Meta said it was being unfairly singled out for data-sharing practices used by thousands of companies.
“Without the ability to transfer data across borders, the internet risks being divided into national and regional silos, constraining the global economy and leaving citizens of different countries unable to access many of the shared services we have come to rely on,” Nick Clegg, Meta’s president of global affairs, and Jennifer G. Newstead, the company’s chief legal officer, said in a statement.
The decision, which is a record fine under the General Data Protection Regulation, or GDPR, could affect data related to photos, friend connections and direct messages stored by Meta. It has the potential to hurt Facebook’s business in Europe, particularly if it hurts the company’s ability to target ads. Last month, Susan Li, Meta’s chief financial officer, told investors that about 10 percent of its worldwide advertising revenue came from ads delivered to Facebook users in EU countries. In 2022, Meta had revenues of nearly $117 billion.
Meta and other companies are counting on the new data agreement between the United States and the European Union to replace the one invalidated by European courts in 2020. Last year, President Biden and Ursula von der Leyen, president of the European Commission, announced the outlines of a deal in Brussels, but the details are still being negotiated.
Without a deal, the decision against Meta shows the legal risks companies face in continuing to move data between the European Union and the United States.
Meta faces the prospect of having to delete large amounts of data about Facebook users in the European Union, said Johnny Ryan, a senior member of the Irish Council for Civil Liberties. This would present technical difficulties, given the interconnected nature of Internet companies.
“It’s hard to imagine how she can enforce this order,” said Ryan, who advocates stricter data protection policies.
The decision against Meta was announced almost exactly on the five-year anniversary of the GDPR. Many civil society groups and privacy activists said the data privacy law, initially considered a model, had failed to deliver on its promise due to lack of enforcement.
Much of the criticism has focused on a clause that requires regulators in the country where a company is based in the European Union to enforce far-reaching privacy law. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, faced the most scrutiny.
On Monday, Irish officials said they had been rejected by a council made up of representatives from EU countries. The council insisted on imposing the €1.2 billion fine and forcing Meta to address past data collected on users, which could include deletion.
“The unprecedented fine is a strong signal to organizations that serious breaches have far-reaching consequences,” said Andrea Jelinek, president of the European Data Protection Board, the EU body that set the fine.
Meta has been a frequent target of regulators under the GDPR In January, the company was fined €390 million for forcing users to accept personalized ads as a condition of using Facebook. In November, it was fined €265 million for data leaks.
