European Union data regulators hit Meta with a $1.3 billion fine (about €1.2 billion) and ordered the company to stop transferring EU Facebook user data to the US in October. The fine exceeds Amazon’s $886 million fine from the EU for data protection violations in 2021.
Meta said it plans to appeal the decision, and seek to stay the order.
In 2013, US whistleblower Edward Snowden leaked highly classified information about the National Security Agency’s worldwide surveillance programs, sparking discussions about Facebook’s data management policies. Snowden’s revelations revealed that Facebook provided the NSA and other US government agencies with the personal data of European users.
Also: Best secure browsers for privacy
After the whistleblowing, Austrian lawyer and privacy activist Max Schrems started petitioning the EU courts to investigate further transfers of Facebook data from the EU to the US.
Since then, EU regulators have been trying to stop tech companies from transferring European user data to other countries. The EU has some of the best incorporated data protection laws covering every citizen of every EU member country. The EU’s General Data Protection Regulation (GDPR) regulates how much and what kind of personal data leaves the EU.
The GDPR contains clauses that allow tech companies like Facebook to operate within the EU under the condition that EU user data remains protected, even if it leaves the EU. But the laws are complex and sometimes difficult to enforce when EU web surfers use American social media sites, because the US has no federal law to protect user data.
Also: How to encrypt your email
For the past few years, the EU and the US have tried — without success — to find an agreement on how to manage user data in the EU. Now, the courts have said that Facebook violated GDPR clauses by allowing the data of Facebook users in the EU to be surveilled by the US. government.
The Irish watchdog, the Irish Data Protection Commission, is Meta’s primary privacy regulator within the EU as the company is based in Dublin. In addition to the monetary fine, Meta was ordered to stop sending EU user data to the US. in October and to change its data storage methods in November to comply with EU privacy rules.
According to the Commission, Meta must stop “unlawful processing, including storage, in the US,” which means Meta must delete all EU user data it has.
Also: The best VPN for iPhone and iPad
Until 2020, Meta and the EU have an agreement on how to handle user data under an agreement called Privacy Shield. The Privacy Shield applies to thousands of tech, auto, and financial companies and dictates how EU data is transferred to the US.
But in 2020, Privacy Shield was struck down by the EU’s top court, which ruled that the agreement still allowed the US government to access EU user data. Without Privacy Shield and without a new agreement, Meta’s fate in the EU is unclear.
Last year, the European Commission announced that the EU and the US are drafting another deal like the Privacy Shield, but this deal will include more legal protections and safeguards for EU user data.
However, as with any piece of legislation, drafting an agreement that both parties are happy with will take time and may not be ready before Meta’s October deadline to stop data transfers.
In Meta’s latest earnings report, the company said it had to stop offering Facebook in Europe, “which would materially and adversely affect our business, financial condition, and results of operations. ” The company says that in order to continue operating in the EU, an agreement between the EU and the US regarding the storage of user data must take place.
Also: 4 ways to secure your remote work setup
But according to EU lawmaker Axel Voss, Meta “cannot simply blackmail the EU into providing data protection standards,” he Tweet in response to Meta.
Some experts say that although Meta’s $1.3 billion fine is large and the largest in EU data privacy suit history, money is not Meta’s biggest issue. Meta will have to reimagine its data transfer policies, which will prove difficult since the legal framework surrounding the issue does not exist in the US.
“This data deletion order is a headache for Meta,” said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties. “It’s very difficult to see how it can comply with that mandate.”
On the other hand, some say the huge fine shows tech companies that data privacy is something the EU takes very seriously.
Also: Don’t get scammed by fake ChatGPT apps: Here’s what to look for
“The unprecedented fine is a strong signal to organizations that serious breaches have serious consequences,” said Andrea Jelinek, the chairman of the European Data Protection Board.