Meta, the parent company of Facebook, Instagram and WhatsApp, has been dealt a severe blow as EU data regulators impose a staggering €1.2 billion ($1.3 billion) fine and prohibit the transfer of Facebook user data from EU citizens to the United States. The European Union courts claim that such data transfers compromise the privacy rights of EU citizens, citing concerns dating back to 2013 when whistleblower Edward Snowden exposed US mass surveillance programs.
The ruling, issued by Ireland's Data Protection Commission (DPC), stated that the existing legal framework for data transfers to the US fails to adequately address the risks to the fundamental rights and freedoms of Facebook's EU users, thereby violating the General Data Protection Regulation (GDPR). This fine surpasses the previous EU record of €746 million imposed on Amazon in 2021 for similar privacy violations.
For Meta, transferring data to the US is integral to its extensive ad-targeting operations, which heavily rely on processing multiple streams of personal data from its users. In response to the threat of losing this capability, Meta had previously warned that it might consider shutting down Facebook and Instagram in the EU. EU politicians perceived this as an overt threat, with lawmaker Axel Voss retorting, "Meta cannot just blackmail the EU into giving up its data protection standards. Leaving the EU would be their loss."
Formerly, these data transfers were protected by the transatlantic agreement known as the Privacy Shield. However, in 2020, the European Union's highest court invalidated the Privacy Shield, ruling that it did not adequately safeguard data from US surveillance programs. This decision came as a result of a claim made by Austrian lawyer Max Schrems, whose legal battle against Facebook commenced in 2013 following Snowden's revelations.
While Meta has now been ordered to cease these data transfers, several exceptions favor the US social media giant. Firstly, the ruling applies exclusively to data from Facebook and does not encompass other Meta subsidiaries like Instagram and WhatsApp. Secondly, there is a five-month grace period before Meta must halt future transfers and a six-month deadline to discontinue retaining current data in the US. Lastly, negotiations between the EU and the US are ongoing to establish a new data transfer agreement, which could be implemented as early as this summer or as late as October.
Despite the size of the record-breaking fine, experts remain skeptical that it will trigger substantial changes in Meta's privacy practices. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, remarked, "A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally," in an interview with The Guardian.
Conversely, others celebrated the decision. Max Schrems, whose 2013 legal challenge formed the basis for the current ruling, expressed satisfaction, stating, "We are happy to see this decision after ten years of litigation," in a press release. He added, "The fine could have been much higher, given that the maximum fine is more than €4 billion, and Meta has knowingly broken the law to make a profit for ten years."
Meta's response to the fine was emphatic, as the company's president for global affairs, Nick Clegg, and chief legal officer, Jennifer Newstead, published a blog post denouncing the penalty as "unjustified and unnecessary." They stressed that Meta is just one of "thousands" of companies that employ similar legal frameworks to transfer data and announced their intention to appeal the decisions while simultaneously seeking a stay order from the courts to delay the implementation deadlines.