EU Fines Meta Platforms $1.2 Billion for Privacy Breach
European Union regulators have imposed a record-breaking fine of € 1.2 ($1.3) billion on Meta Platforms, the owner of Facebook, for unlawfully transferring user information to the United States. This ruling puts increased pressure on the U.S. government to finalize an agreement that would permit Meta and numerous multinational companies to continue such data transfers. The substantial size of the fine highlights the growing risks associated with violating the European Union’s privacy regulations as their enforcement becomes stricter.
Tech Companies Face Intensified Regulatory Scrutiny
Tech companies, along with other large international corporations, have faced heightened regulatory scrutiny due to European privacy concerns. This scrutiny has intensified since European courts overturned a data-sharing agreement between the U.S. and EU in 2020. The fine imposed on Meta serves as a stark reminder of the risks that companies across various sectors face without a new data transfer deal in place.
Meta’s EU Privacy Regulator Deems Data Storage Illegal
The top privacy regulator of Meta in the EU stated in its decision that Facebook has unlawfully stored data about European users on servers located in the U.S. The regulator argues that such storage enables access to the information by American intelligence agencies without adequate means for users to challenge it. The fine of €1.2 billion (approximately $1.3 billion) surpasses the previous record penalty of €746 million ($806 million) imposed on Amazon in 2021 for privacy violations related to its advertising business under the General Data Protection Regulation (GDPR). Amazon has appealed this decision in Luxembourg.
EU Privacy Regulators Increase Enforcement Efforts
EU privacy regulators have taken a significant step forward by imposing more substantial fines. They have increased their enforcement of the GDPR, the privacy law of the EU, five years after its introduction. People familiar with the deliberations suggest that the EU regulatory board has assumed greater control over cross-border decisions and insists on imposing larger fines. Prior to the decision against Meta, the EU board demanded that Ireland levy a fine ranging from 20% to 100% of the maximum allowable penalty. According to the GDPR, Meta could have faced a fine of up to 4% of its worldwide annual revenue, nearly $4.7 billion.
Strong Message Sent to Organizations
Andrea Jelinek, chair of the board of EU privacy regulators, highlighted the significance of the massive volume of personal data transferred by Facebook from Europe. She emphasized that the unprecedented fine serves as a strong signal to organizations that serious infringements have far-reaching consequences. Meta has been granted six months to bring its handling of European Facebook users’ data into compliance.
Fine Comparison and Suspension Orders
Although smaller than the $5 billion penalty imposed by the Federal Trade Commission in 2019 for consumer privacy violations, the fine against Meta remains substantial. Additionally, it falls below the EU’s largest antitrust fines, such as the $4.7 billion fine imposed on Google for its Android operating system. Alongside the fine, Monday’s decision orders Meta to cease sending information about Facebook’s European users to the U.S. and delete any data already transferred within approximately six months. Meta stated that it could avoid these orders if the U.S. and EU complete a new trans-Atlantic agreement allowing data transfers before the deadline.
Meta’s Response and Potential Consequences
Meta expressed its intention to appeal the ruling and seek a stay to delay the suspension orders. The company criticized the decision, deeming it flawed, unjustified, and setting a dangerous precedent for other companies engaged in data transfers between the EU and U.S. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Meta said in a blog post responding to the decision. Meta, along with numerous other U.S.-based tech companies, regularly transfers data from Europe to the U.S., where its main data centers are located in order to provide services to its users.
Max Schrems’ Response
Max Schrems, the privacy activist and founder of noyb (None of Your Business), has expressed satisfaction with the €1.2 billion fine imposed on Meta (formerly Facebook) by the Irish Data Protection Commission (DPC) over its involvement in US mass surveillance after a decade-long legal battle.
Schrems highlighted that the fine could have been even higher given Meta’s deliberate violation of the law for ten years to make a profit. He emphasized that unless US surveillance laws are fxed, Meta will need to fundamentally restructure its systems.
Schrems also pointed out that the conflict between EU privacy laws and US surveillance laws affects other major US cloud providers like Microsoft, Google, and Amazon. He noted that a reasonable solution would be to impose limitations on US surveillance law, requiring probable cause and judicial approval. Schrems believes that a similar decision could be made against other US cloud providers under EU law. He also mentioned the possibility of future litigation against Meta in Europe, with users being able to claim damages for violations of their data protection rights.
Ireland Takes the Lead in Imposing Fine
The fine and suspension order were issued by Ireland’s Data Protection Commission, as it leads the enforcement of the GDPR for Meta, which has its European headquarters in Dublin. This marks a significant step taken by EU regulators to enforce a 2020 ruling regarding data transfers from the EU’s top court. The ruling was a response to concerns that Europeans have no effective legal means to challenge U.S. government surveillance, leading to restrictions on companies like Meta transferring personal information about European individuals to the U.S.
Broader Implications for Meta and Other Multinational Companies
Although the decision specifically targets Facebook, the underlying issues also affect Meta’s other subsidiaries and thousands of multinational companies that store or access data about Europeans from servers located in the U.S. The absence of a U.S.-EU data transfer agreement puts tech giants and other companies that rely on their services at risk of facing EU privacy investigations. These investigations could result in orders to suspend data flows to the U.S., potentially impacting industries such as advertising, artificial intelligence, human resources, and cloud services, which contribute to tens if not hundreds of billions of dollars in trade.
Surveillance Powers and Proposed Data Deal
Tech companies are particularly affected by the 2020 EU court ruling, which focuses on the surveillance powers outlined in Section 702 of the U.S.’s Foreign Intelligence Surveillance Act. This section can compel electronic communications providers to disclose user information. To address these concerns, a newly proposed U.S.-EU data deal aims to alleviate restrictions on data transfers to the U.S. The EU would lift these restrictions if the U.S. addresses the issues raised by the EU court, such as granting Europeans new rights to challenge surveillance practices. However, the deal has not been officially completed as EU officials assert that the U.S. government has yet to fully implement its end of the agreement. Some European politicians have even called for further renegotiation.
Uncertain Future and Potential Consequences
Analysts and experts believe that the next few months will be critical in determining the outcome of this ongoing dispute. The EU’s willingness to withhold a data transfer deal and compel Meta to suspend services in the EU has raised concerns. Meta has stated that if it is required to suspend data transfers, it may have to cease offering its services in the EU altogether, where it boasts more than 255 million Facebook users. The European market represents a significant portion of Meta’s revenue, making the potential consequences of this situation far-reaching.
Safeguard Personal Data when Transfering to the US
To safeguard personal data when transferring to the US you need a reliable and comprehensive guide. One way to gain this knowledge is through specialized training and certification programs, such as those offered by professional bodies such as the DELTA Data Protection & Compliance Academy & Consulting.
This handbook is part of the self-paced intensive online training course to become a certified data protection officer (C-DPO/CIPP/CIPM) of DELTA Data Protection & Compliance Academy, but it is also a valuable standalone guide for mastering data protection.
DELTA Data Protection & Compliance Academy & Consulting is an expert organization for data protection and compliance, offering DPO as a Service and training programs for individuals interested in becoming certified DPOs. The academy’s mission is to provide candidates with the knowledge and skills to serve as DPOs and help organizations ensure compliance with GDPR requirements within the EU.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com