Meta has been hit with a record-breaking $1.3 billion fine (€1.2 billion) by EU data regulators, and ordered to stop transferring the Facebook data of EU citizens to the US, according to reports from Bloomberg and Politico. EU courts believe such data transfers expose EU citizens to privacy violations — a complaint that stems back to 2013 and the revelations by whistleblower Edward Snowden about US mass surveillance.
Although the fine is the headline figure — exceeding the previous EU record of €746 million levied against Amazon in 2021 for similar privacy violations — it’s the order to stop data transfers that is potentially most significant.
Transferring data to the US is critical for Meta’s vast ad-targeting operation, which relies on processing multiple streams of personal data from its users. Last year, Meta said it would consider shutting down Facebook and Instagram in the EU it wasn’t able to send data back to the US; a warning that EU politicians saw as an obvious threat. “Meta cannot just blackmail the EU into giving up its data protection standards,” replied EU lawmaker Axel Voss to the news. “Leaving the EU would be their loss.”
Previously, these data transfers were protected by a transatlantic pact known as the Privacy Shield. But this framework was declared invalid in 2020 after the EU’s top court found that it did not protect data from being scraped by US surveillance programs. This ruling was given in response to a claim by Austrian lawyer Max Schrems, whose legal battle against Facebook dates back to 2013 and was triggered by the original Snowden revelations.
Although Meta has now been ordered to stop such data transfers, there are a number of caveats that benefit the US social media giant. First, the ruling only applies to data from Facebook — not other Meta companies like Instagram and WhatsApp. Second, there’s a five-month grace period before Meta has to stop data transfers to the US, with a deadline of October 22nd. And third, the EU and US are currently negotiating over a new deal to transfer data that could be in place as early as this summer and as last as October.
Despite the record-breaking size of the fine, experts expressed doubt that it will change anything fundamental about Meta’s privacy practices. “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally,” Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, told The Guardian this weekend.
The ruling was made by the Ireland’s Data Protection Commission (DPC), the lead privacy regulatory for Meta’s EU operations, which are headquartered in Dublin.
