EU Privacy Battle: Meta Must Cease Data Transfers, Pay Record $1.3B Fine
Meta, the parent company of Facebook, has been fined a record $1.3 billion by the European Union (EU) and ordered to cease transferring European users’ personal data to the United States. This decision is the latest development in a decade-long legal battle sparked by concerns over U.S. surveillance activities. The EU’s penalty of 1.2 billion euros exceeds the previous record fine imposed on Amazon for data protection violations in 2021.
The EU’s decision comes as a blow to Meta, which had warned that its services in Europe could be disrupted. The ruling applies to user data such as names, email addresses, IP addresses, messages, viewing history, and geolocation data. Meta, along with other tech giants like Google, uses this information for targeted online advertising.
Meta has expressed its intention to appeal the decision and has requested that the courts immediately suspend its enforcement. The company’s President of Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead, criticized the ruling, stating that it sets a dangerous precedent for other companies transferring data between the EU and the U.S.
Meta, the parent company of Facebook, has issued a warning that it may shut down Facebook and Instagram in Europe if it is unable to transfer user data back to the United States. This comes as European regulators are developing new legislation to govern the transfer of EU citizens’ data across the Atlantic. The European Court of Justice previously ruled that the existing data transfer standard between the EU and the U.S. does not adequately protect European citizens’ privacy.
In its annual report, Meta stated that if a new transatlantic data transfer framework is not adopted and it cannot rely on standard contractual clauses or other alternative means of data transfers, it would likely be unable to offer significant products and services, including Facebook and Instagram, in Europe. The potential shutdown of these platforms in Europe could have a substantial negative impact on Meta’s business, financial condition, and results of operations. Investors have been cautious amidst a wider decline in tech stocks, with shares of Meta down over 30% this year due to market concerns and weaker-than-expected performance.
The legal battle began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint against Facebook regarding the handling of his data in light of Edward Snowden’s revelations about U.S. surveillance. This case highlights the divergence between the EU’s stringent data privacy regulations and the relatively lax regime in the U.S., which lacks a federal privacy law. The EU has been at the forefront of regulating Big Tech and protecting users’ personal information.
The EU’s top court invalidated the Privacy Shield agreement in 2020, which governed EU-U.S. data transfers, stating that it did not provide adequate protection against U.S. government surveillance. Another mechanism for data transfers, stock legal contracts, was also deemed invalid. While a new transatlantic privacy agreement was reached in 2022, its adequacy in safeguarding data privacy is under scrutiny by EU officials.
The fine was imposed by the Irish Data Protection Commission, which acts as Meta’s lead privacy regulator in the EU since the company’s European headquarters is based in Dublin. The Irish watchdog has given Meta five months to halt the transfer of European user data to the U.S. and six months to bring its data operations into compliance with EU privacy rules by deleting unlawfully processed data.
The repercussions for Meta extend beyond the fine itself. The company may face the challenge of erasing vast amounts of data for hundreds of millions of EU users, which could pose significant operational difficulties. Without a legal basis for data transfers, Meta may be forced to halt its services in Europe, adversely affecting its business and financial condition.
This ruling against Meta is likely to increase pressure on the U.S. government to implement surveillance reforms that would address the concerns of the EU and enable the continuation of data transfers. The outcome of this legal battle will have implications not only for Meta but also for other multinational companies that rely on the free flow of data across the Atlantic.
Editor’s note: I cannot conceive of data being “erased” given that it is worth billions of dollars. While their hearts are in the right place, the EU cannot effectively police this inside a company with some of the best technologists in the world. Meta, Amazon, Alphabet, Tiktok, none of these take privacy seriously.