European Union data regulators have hit Meta with a $1.3 billion fine (about €1.2 billion) and ordered the company to cease transferring EU Facebook user data to the US by October. The fine exceeds Amazon’s $886 million fine from the EU for data protection violations in 2021.
Meta says it plans to appeal the ruling, and seeking a stay of the order.
In 2013, US whistleblower Edward Snowden leaked highly classified information about the National Security Agency’s global surveillance programs, sparking discussions about Facebook’s data handling policies. Snowden’s revelations disclosed that Facebook provided the NSA and other US government agencies with European users’ personal data.
Also: Best secure browsers for privacy
Immediately after the whistleblowing, Austrian lawyer and privacy activist Max Schrems began petitioning the EU courts to investigate further Facebook’s data transfers from the EU to the US.
Since then, EU regulators have made efforts to stop tech companies from transferring European user data to other countries. The EU has some of the most well-incorporated data protection laws that cover every citizen in every nation that belongs to the EU. The EU’s General Data Protection Regulation (GDPR) regulates how much and what kind of personal data leaves the EU.
The GDPR has clauses that allow tech companies like Facebook to operate within the EU under the condition that EU user data remains protected, even when it leaves the EU. But the laws are complex and sometimes difficult to enforce when EU web surfers use American social media sites, as the US has no federal laws to protect user data.
Also: How to encrypt your email
For the last few years, the EU and the U.S. have attempted — with no success – to find agreement on how to handle EU user data. Now, the courts are saying Facebook violated the GDPR’s clauses by allowing EU Facebook users’ data to be surveilled by the US. government.
The Irish watchdog, Ireland’s Data Protection Commission, is Meta’s main privacy regulator within the EU because the company is headquartered in Dublin. In addition to the monetary fine, Meta was ordered to stop sending EU user data to the US. by October and to restructure its data storage methods by November to comply with the EU’s privacy rules.
According to the Commission, Meta must stop the “unlawful processing, including storage, in the US,” which means Meta would have to delete all of the EU user data it has.
Also: The best VPNs for iPhone and iPad
Until 2020, Meta and the EU had an agreement about how to handle user data under a deal called Privacy Shield. Privacy Shield pertained to thousands of tech, auto, and financial companies and dictated how EU data was transferred to the US.
But in 2020, Privacy Shield was struck down by the EU’s top court, ruling that the agreement still allowed the US government to access EU user data. Without Privacy Shield and without a new agreement, Meta’s fate in the EU is unclear.
Late last year, The European Commission announced that the EU and the US were drafting another deal like Privacy Shield, but this deal would include more legal protections and safeguards for EU user data.
However, like any piece of legislation, drafting an agreement that both parties are happy with will take time and might not be ready before Meta’s October deadline to cease data transfers.
In Meta’s latest earning report, the company said it may have to stop offering Facebook in Europe, “which would materially and adversely affect our business, financial condition, and results of operations.” The company says that to continue operating in the EU, a deal between the EU and the US about user data storage must occur.
Also: 4 ways to secure your remote work setup
But according to EU lawmaker Axel Voss, Meta “cannot just blackmail the EU into giving up its data protection standards,” he tweeted in response to Meta.
Some experts say that although Meta’s $1.3 billion fine is hefty and the largest in EU data privacy suit history, the money is not Meta’s biggest issue. Meta must reimagine its data transfer policies, which will prove difficult as the legal framework surrounding the issue is nonexistent in the US.
“This order to delete data is really a headache for Meta,” said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties. “It is very hard to see how it will be able to comply with that order.”
On the other hand, some say the large fine shows tech companies that data privacy is something the EU takes very seriously.
Also: Don’t get scammed by fake ChatGPT apps: Here’s what to look for
“The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” said Andrea Jelinek, the chairwoman of the European Data Protection Board.