Meta fined record $1.3 billion, ordered not to send European user data to US

LONDON — The European Union hit Meta with a record $1.3 billion privacy fine on Monday and ordered it to stop transferring users’ personal data across the Atlantic by October. It’s the latest settlement in a decade-long case sparked by U.S. cyber research fears.

The €1.2 billion fine is the largest since the EU’s tough data protection regime came into force five years ago, and exceeds Amazon’s €746 million fine for data breaches in 2021.

Meta, which previously warned that services to its users in Europe could be shut down, has vowed to appeal and ask the courts to immediately suspend the decision.

According to the company, there is “no immediate disruption to Facebook operations in Europe”. The ruling covers user data such as names, email and IP addresses, messages, viewing history, geolocation data and other information that Meta — and other tech giants like Google — use to target online ads.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies that transfer data between the EU and the US,” said Nick Clegg, Meta’s President of Global Affairs and Legal Director Jennifer Newstead.

This is another twist in a legal battle that began in 2013, when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data after Edward Snowden, a former contractor for the National Security Agency, revealed electronic surveillance by US security agencies. This included the disclosure that Facebook had given agencies access to the personal data of Europeans.

The saga highlighted a clash between Washington and Brussels over differences between a strict European approach to data protection and a relatively lax regime in the United States, which lacks a federal data protection law. The EU is a global leader in curbing the power of Big Tech, enforcing stricter oversight of their platforms and the protection of users’ personal data through a number of regulations.

The EU-US data transfer agreement, known as Privacy Shield, was invalidated in 2020 by the EU’s highest court, which said it did not protect residents from US government electronic surveillance. Monday’s decision confirmed that another tool used to regulate data transfers – shareholding contracts – is also invalid.

Brussels and Washington signed an agreement last year on a revised Privacy Shield that Meta can use, but the pact is awaiting a decision by European officials on whether it adequately protects data.

EU institutions have reviewed the deal, and the bloc’s lawmakers this month called for improvements, saying the safeguards were not strong enough.

Ireland’s data protection commission imposed the fine as Meta’s lead data protection regulator in the 27-country bloc, as the Silicon Valley tech giant has its European headquarters in Dublin.

The Irish watchdog said it had given Meta five months not to send European user data to the US and six months to bring its data operations into compliance by ending unlawful processing of European users’ personal data transferred to the US, including storing it in the US . violation of the privacy rules of the block.

In other words, Meta has to delete all the data, which could be a bigger problem than the fine, said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, a nonprofit legal group focused on digital and data issues.

“This data wipe order is really giving Meta a headache,” Ryan said. If the company has to scrub the data of hundreds of millions of EU users going back 10 years, “it’s very difficult to see how it will be able to comply with this order.”

If a new transatlantic privacy agreement goes into effect before the deadlines, “our services can continue to operate as they are now without any disruption or impact to users,” Meta said.

Schrems predicted that Meta has “no real chance” of effectively overturning the decision. And a new data protection pact does not necessarily mean the end of Meta’s problems, because there is a good chance that the EU’s highest court can throw it out, he said.

“Meta plans to rely on the new agreement for transfers in the future, but it is unlikely to be a permanent solution,” Schrems said in a statement. “Unless US surveillance laws are fixed, Meta will likely have to keep EU data in the EU.”

According to Schrems, a possible solution could be a “federated” social network where European data would remain in Meta’s European data centers “unless users are chatting with, for example, an American friend”.

In its latest earnings report, Meta warned that without a legal basis for data transfer, it would be forced to abandon its products and services in Europe, “which would materially and adversely affect our business activities, financial position and results of our operations”.

The social media company may face costly and complex operations if it is ultimately forced to stop transfers. According to its website, Meta has a fleet of 21 data centers, but 17 of those are located in the United States. Three other European nations are in Denmark, Ireland and Sweden. The other is in Singapore.

Other social media giants are coming under pressure for their data practices. TikTok has sought to assuage Western fears about the potential cybersecurity risks of the Chinese-owned short-form video-sharing app with a $1.5 billion project to store US user data on Oracle’s servers.