Meta was slapped with a record-breaking fine of 1.2 billion euros ($1.3 billion) on Monday and ordered to halt the transfer of data collected from Facebook users in Europe to the United States. The ruling, a significant blow to the social media giant, came as a result of its violation of European Union data protection regulations.
The penalty, issued by the Data Protection Commission in Ireland, is potentially one of the most significant since the implementation of the General Data Protection Regulation (GDPR) five years ago. Regulators found that Meta failed to comply with a 2020 decision by the European Union's highest court, which determined that data transferred across the Atlantic lacked adequate protection against surveillance by American intelligence agencies.
It's important to note that the ruling only applies to Facebook and not other platforms owned by Meta, such as Instagram and WhatsApp. Meta intends to appeal the decision, assuring users in the European Union that there will be no immediate disruption to Facebook's services.
Although Meta has been given a grace period of five months to comply, there are still several steps to be taken before the company must segregate the data of Facebook users in Europe, including photos, connections, messages, and targeted advertising information. The appeals process could also extend the legal proceedings.
Negotiations are underway between the European Union and American officials for a new data-sharing agreement that would provide legal safeguards for Meta to continue transferring user information between the United States and Europe. An initial agreement was announced last year.
The case against Meta originated from U.S. policies granting intelligence agencies the authority to intercept international communications, including digital correspondences. In 2020, Austrian privacy activist Max Schrems successfully invalidated the U.S.-EU Privacy Shield pact, which had permitted companies like Facebook to transfer data between the two regions. The European Court of Justice concluded that the risk of U.S. surveillance violated the fundamental rights of European users.
Mr. Schrems stated that unless U.S. surveillance laws are rectified, Meta would need to restructure its systems significantly. He suggested a "federated social network" as a potential solution, where most personal data remains within the EU except for "necessary" transfers, such as direct messages between Europeans and individuals in the United States.
Meta argues that it is being unfairly targeted for data-sharing practices common among thousands of companies.
The ruling, imposing the largest fine under the GDPR, was widely anticipated. Meta's chief financial officer previously disclosed that around 10% of its global ad revenue stemmed from ads shown to Facebook users in EU countries. In 2022, Meta reported revenue of nearly $117 billion.
Meta, along with other companies, is relying on a new data agreement between the United States and the European Union to replace the invalidated pact of 2020. While the outlines of a deal were announced last year by President Biden and European Commission President Ursula von der Leyen, the specifics are still being negotiated.
Meta now faces the challenge of potentially deleting vast amounts of data associated with Facebook users in the European Union, a task made difficult due to the interconnected nature of internet companies.
The decision against Meta coincides closely with the fifth anniversary of the GDPR. Although initially hailed as a model privacy law, the lack of enforcement has led to criticism from civil society groups and privacy advocates.
Critics often highlight a provision that requires regulators in the country where a company has its EU headquarters to enforce the extensive privacy law. Ireland, serving as the regional headquarters for Meta, TikTok, Twitter, Apple, and Microsoft, has faced particular scrutiny.
Irish authorities stated on Monday that they were overruled by a board comprised of representatives from EU member countries. The board insisted on the 1.2 billion euro fine and demanded that Meta address past data collection practices, including potential data deletion.