Meta has copped another huge fine from regulators, with the European Data Protection Board (EDPU) hitting the company with a €1.2 billion penalty – equivalent to $1.3 billion USD – for transferring EU user data back to the US without explicit permission or adequate protections in place.
The fine, the largest of its kind in history, relates to Meta’s data transfers since 2020, when the EU implemented its more stringent GDPR regulations. The GDPR gives users more control over their personal data and how it’s used, and its implementation meant that Meta would need to take more definitive measures to protect EU citizen information.
Meta has repeatedly noted that its willing to work with the EU to update its approach on this front. But regardless, Austrian privacy campaigner Max Schrems argued that its systems are not in compliance with the intent of the EU policy, and subsequently expose EU users to data surveillance in the US, thus breaking international law, and leading to this latest fine.
Meta has also been ordered to bring its data transfers into compliance with the GDPR, or face potential suspension in the region.
As per EDPU:
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
In response, Meta has said that it will appeal the decision, while also highlighting the risks of fragmenting the web as a result of this approach.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years.”
And as noted, Meta also says that it's been working in good faith with EU regulators on a new Data Privacy Framework, which would enable a more collaborative resolution to the issue, while also recognizing that Meta has acted in good faith in complying with current laws.
But now, Meta says, the EDPU has gone against this, in issuing a fine based on what it claims is an unfair reading of its efforts.
It’s a major blow for the company, at a time when it’s already reeling from the global downturn in ad spend, and restrictions on data collection as a result of Apple’s iOS 14 update. Meta’s culled thousands of jobs over the past year, and you can only imagine that this new fine will only squeeze the company further, as it continues to invest heavily in Zuckerberg’s metaverse vision.
And the pain may not be over for Meta yet. In addition to today’s fine, Meta may also be up for civil litigation, due to an upcoming change in EU law, while it could also face yet another significant loss in ad revenue as a result of any suspensions that may stem from this ruling.
As such, it’s no surprise to see Meta challenging the fine. But legal experts don’t see any real way for Meta to avoid paying, or settling with the EU to a significant degree.
It’s also interesting from a data transfer perspective, amid broader debate around TikTok’s potential links to the Chinese Government. As Meta notes, shifts like this risk splintering the internet, and siloing off different regions into their own online fiefdoms, which could make future interaction more restricted.
That could be the end result of rulings like this - though it’s worth also noting that Zuckerberg himself has, in the past, made efforts to get TikTok restricted in the US on similar grounds (though Zuckerberg has since noted that banning the app would set a ‘really bad long-term precedent’).
The next step will be a protracted court battle, as Meta seeks to reduce the penalty. But eventually, it does seem that Meta will have to pay, while it’ll also need to update its EU policies in line with the ruling.