The European Union slammed Meta with a record $1.3 billion privacy fine on Monday and ordered it to stop transferring users’ personal information across the Atlantic by October, the latest salvo in a decades-long case sparked by fears of cyber snooping in the United States.
The €1.2 billion fine is the largest since the EU’s strict data privacy regime came into force five years ago, surpassing Amazon’s €746 million fine in 2021 for data protection breaches.
Meta, which previously warned that services to its users in Europe could be shut down, vowed to appeal and ask the courts to immediately suspend the decision.
The company said “there is no immediate disruption to Facebook in Europe.” The decision applies to user data such as names, email and IP addresses, messages, viewing history, geolocation data and other information that Meta – and other tech giants such as Google – use for targeted online advertising.
“This decision is wrong, unjustified and sets a dangerous precedent for the countless other companies that transfer data between the EU and the US,” said Nick Clegg, Meta’s president of global affairs, and general counsel Jennifer Newstead in a statement.
Trudeau calls Meta’s decision to block news in Canada ‘irresponsible and out of touch’
It is yet another twist in a legal battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations about electronic surveillance by US security agencies. That included the revelation that Facebook gave the agencies access to the personal data of Europeans.
The saga has highlighted the clash between Washington and Brussels over the differences between Europe’s strict approach to data privacy and the comparatively lax regime in the US, which lacks a federal privacy law. The EU has been a global leader in reining in the power of Big Tech with a series of regulations forcing them to control their platforms more strictly and protect users’ personal information.
An agreement covering data transfers between the EU and the US, known as the Privacy Shield, was struck down in 2020 by the EU’s top court, which said it did not do enough to protect residents from the US government’s electronic prying. Monday’s decision confirmed that another tool for governing data transfers — warehouse contracts — was also invalid.
Brussels and Washington signed an agreement last year on a revamped Privacy Shield that Meta could use, but the pact is awaiting a decision by European officials on whether it adequately protects data privacy.
EU institutions have been reviewing the agreement and the bloc’s lawmakers this month called for improvements, saying safeguards are not strong enough.
Ireland’s Data Protection Commission handed out the fine as Meta’s lead privacy regulator in the 27-nation bloc because the Silicon Valley tech giant’s European headquarters are based in Dublin.
The Irish watchdog said it gave Meta five months to stop sending European user data to the US and six months to bring its data operations into compliance “by ceasing the unlawful processing, including storage, in the US” of European users’ personal data transferred in violation of the block’s privacy rules.
In other words, Meta has to delete all that data, which could be a bigger problem than the fine, said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, a nonprofit rights group that has worked on digital and data issues.
Meta set to block news on Facebook, Instagram from Canadian users
“This data deletion order is really a headache for Meta,” Ryan said. If the company has to scrub data for hundreds of millions of EU users going back 10 years, “it’s very difficult to see how it will be able to comply with that order.”
If a new transatlantic privacy agreement enters into force before the deadlines, “our services can continue as they do today without any disruption or impact to users,” Meta said.
Schrems predicted that Meta has “no real chance” of having the decision substantially overturned. And a new privacy pact may not mean the end of Meta’s problems, as there is a good chance it could be thrown out by the EU’s highest court, he said.
“Meta plans to rely on the new agreement for transfers going forward, but this is unlikely to be a permanent fix,” Schrems said in a statement. “Unless US surveillance laws are fixed, Meta will likely have to keep EU data in the EU.”
Schrems said one possible solution could be a “federated” social network, where European data stays in Meta’s data center in Europe, “unless, for example, users are chatting with an American friend.”
Meta warned in its latest earnings report that without a legal basis for data transfers, it will be forced to stop offering its products and services in Europe, “which would materially and adversely affect our business, financial condition and results.”
The social media company may have to undertake a costly and complex restructuring of its operations if it is ultimately forced to halt the transfers. Meta has a fleet of 21 data centers, according to its website, but 17 of them are in the United States. Three others are in the European nations of Denmark, Ireland and Sweden. Another is in Singapore.
Other social media giants are facing pressure over their data practices. TikTok has sought to calm Western fears about the Chinese-owned short video-sharing app’s potential cybersecurity risks with a $1.5 billion project to store US user data on Oracle servers.
© 2023 The Canadian Press