Meta has been hit with a record-breaking $1.3 billion fine (€1.2 billion) by EU data regulators, and ordered to stop transferring the Facebook data of EU citizens to the US. EU courts believe such data transfers expose EU citizens to privacy violations — a complaint that stems back to 2013 and revelations by whistleblower Edward Snowden about US mass surveillance programs.
The ruling was made by Ireland’s Data Protection Commission (DPC), which said that that the current legal framework for data transfers to the US “did not address the risks to the fundamental rights and freedoms” of Facebook’s EU users and violated GDPR. The fine exceeds the previous EU record of €746 million levied against Amazon in 2021 for similar privacy violations.
Transferring data to the US is critical for Meta’s vast ad-targeting operation, which relies on processing multiple streams of personal data from its users. Last year, Meta said it would be forced to consider shutting down Facebook and Instagram in the EU it wasn’t able to send data back to the US; a warning EU politicians saw as an obvious threat. “Meta cannot just blackmail the EU into giving up its data protection standards,” replied EU lawmaker Axel Voss to the news. “Leaving the EU would be their loss.”
Previously, these data transfers were protected by a transatlantic pact known as the Privacy Shield. But this framework was declared invalid in 2020 after the EU’s top court found that it did not protect data from being scraped by US surveillance programs. This ruling was given in response to a claim by Austrian lawyer Max Schrems, whose legal battle against Facebook dates back to 2013 and the original Snowden revelations of US surveillance.
Although Meta has now been ordered to stop these data transfers, there are a number of caveats that benefit the US social media giant. First, the ruling only applies to data from Facebook, not other Meta companies like Instagram and WhatsApp. Second, there’s a five-month grace period before Meta has to stop future transfers, and a six-month deadline to stop holding current data in the US. Third, and most important, the EU and US are currently negotiating a new deal to transfer data that could be in place as early as this summer and as late as October.
Despite the record-breaking size of the fine, experts expressed doubt that it will change anything fundamental about Meta’s privacy practices. “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally,” Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, told The Guardian this weekend.
Others were more triumphant. “We are happy to see this decision after ten years of litigation,” said Schrems, whose 2013 legal challenge is the origin of today’s ruling, in a press release. “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years.”
Meta itself described the fine as “unjustified and unnecessary” in a blog post written by Meta’s president for global affairs, Nick Clegg, and the company’s chief legal officer, Jennifer Newstead. The company stressed that it’s only one of “thousands” of companies that use similar legal frameworks to transfer data.
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” write Clegg and Newstead.
Schrems predicts that any legal appeal of the decision will be unsuccessful. He also suggested that the new EU-US data transfer protocol will be as vulnerable to legal challenge as the current arrangement. “Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix,” said Schrems. “Unless US surveillance laws gets fixed, Meta will likely have to keep EU data in the EU.”
Update, Monday 22nd May, 05:26AM ET: Story updated to add more details from the DPC’s ruling and reaction from Max Schrems and Meta.