Meta Fined $1.3 Billion for Violating EU Data Privacy Rules
LONDON — Meta on Monday was fined a record 1.2 billion euros ($1.3 billion) and ordered to stop transferring data collected from Facebook users in Europe to the United States, in a major ruling against the social media company for violating European Union data protection rules.
The penalty, announced by Ireland’s Data Protection Commission, is potentially one of the most consequential in the five years since the EU enacted the landmark data privacy law known as the General Data Protection Regulation. Regulators said the company failed to comply with a 2020 decision by the EU’s highest court that Facebook data shipped across the Atlantic was not sufficiently protected from U.S. spy agencies.
But it remains unclear if or when Meta will ever need to cordon off the data of Facebook users in Europe. Meta said it would appeal the decision, setting up a potentially lengthy legal process.
At the same time, EU and U.S. officials are negotiating a new data-sharing pact that would provide legal protections for Meta and scores of other companies to continue moving information between the United States and Europe — a pact that could nullify much of the EU’s ruling Monday. A preliminary deal was announced last year.
The ruling, which comes with a grace period of at least five months before Meta needs to comply, applies only to Facebook and not Instagram and WhatsApp, which Meta also owns. The company said there would be no immediate disruption to Facebook’s service in the EU.
Still, the EU decision shows how government policies are upending the borderless way data has traditionally moved. As a result of data-protection rules, national security laws and other regulations, companies are increasingly being pushed to store data within the country where it is collected, rather than allowing it to move freely to data centers around the world.
The case against Meta stems from U.S. policies that give intelligence agencies the ability to intercept communications from abroad, including digital correspondence. In 2020, an Austrian privacy activist, Max Schrems, won a lawsuit to invalidate a U.S.-EU pact, known as Privacy Shield, that had allowed Facebook and other companies to move data between the two regions. The European Court of Justice said the risk of U.S. snooping violated the fundamental rights of European users.
“Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” Schrems said in a statement Monday. The solution, he said, was likely a ”federated social network” in which most personal data would stay in the EU except for “necessary” transfers like when a European sends a direct message to somebody in the United States.
On Monday, Meta said it was being unfairly singled out for data-sharing practices used by thousands of companies.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, the chief legal officer, said in a statement.
The ruling, which is a record fine under the General Data Protection Regulation, could affect data related to photos, friend connections and direct messages stored by Meta. It has the potential to bruise Facebook’s business in Europe, particularly if it hurts the company’s ability to target ads. Last month, Susan Li, Meta’s chief financial officer, told investors that about 10% of its worldwide ad revenue came from ads delivered to Facebook users in EU countries. In 2022, Meta had revenue of nearly $117 billion.
Meta and other companies are counting on a new data agreement between the U.S. and the EU to replace the one invalidated by European courts in 2020. Last year, President Joe Biden and Ursula von der Leyen, the president of the European Commission, announced the outlines of a deal in Brussels, but the details are still being negotiated.
Without a deal, the ruling against Meta shows the legal risks that companies face in continuing to move data between the EU and U.S.
Meta faces the prospect of having to delete vast amounts of data about Facebook users in the EU, said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties. That would present technical difficulties given the interconnected nature of internet companies.
“It is hard to imagine how it can comply with this order,” said Ryan, who has pushed for stronger data-protection policies.
The decision against Meta comes almost exactly on the five-year anniversary of GDPR. Initially held up as a model data privacy law, many civil society groups and privacy activists have said it has not fulfilled its promise because of lack of enforcement.
Much of the criticism has focused on a provision that requires regulators in the country where a company has its EU headquarters to enforce the far-reaching privacy law. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, has faced the most scrutiny.
On Monday, Irish authorities said they were overruled by a board made up of representatives from EU countries. The board insisted on the 1.2 billion-euro fine and forcing Meta to address past data collected about users, which could include deletion.
“The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” said Andrea Jelinek, the chair of the European Data Protection Board, the EU body that set the fine.
Meta has been a frequent target of regulators under the GDPR. In January, the company was fined 390 million euros for forcing users to accept personalized ads as a condition of using Facebook. In November, it was fined another 265 million euros for a data leak.
This article originally appeared in The New York Times.
