Meta was fined a record 1.2 billion euros ($1.3 billion) on Monday and ordered to stop transferring data collected from Facebook users in Europe to the United States, in a landmark ruling against the social media company for violating European Union data protection rules.
The fine, announced by the Irish Data Protection Commission, is possibly one of the most drastic in the five years since the European Union passed the groundbreaking data privacy law known as the General Data Protection Regulation. Regulators said the company failed to comply with a 2020 decision by the EU’s highest court that data sent across the Atlantic was not adequately protected from US spy agencies.
The ruling announced on Monday only applies to Facebook and not to Instagram and WhatsApp, which Meta also owns. Meta said it would appeal the decision and there would be no immediate disruption to Facebook’s service in the European Union.
There are still several steps to follow before the company must shield Facebook users’ data in Europe – information that could include photos, friend contacts, direct messages, and data collected for targeted advertising. The ruling comes with a grace period of at least five months for Meta to comply. And the company’s appeal will lead to a potentially lengthy legal process.
European Union and US officials are negotiating a new data-sharing pact that would give Meta new legal protections to continue moving information about users between the United States and Europe. A tentative deal was announced last year.
Still, the EU decision shows how public policy is upsetting the borderless way data traditionally moves. Due to data protection rules, national security laws and other regulations, companies are increasingly forced to store data in the country where it was collected, rather than letting it flow freely to data centers around the world.
The case against Meta stems from US policy that allows intelligence agencies to intercept communications from abroad, including digital correspondence. In 2020, an Austrian privacy activist, Max Schrems, won a lawsuit to invalidate a US-EU pact known as Privacy Shield that had allowed Facebook and other companies to move data between the two regions. The European Court of Justice said the risk of US eavesdropping violates the fundamental rights of European users.
“Unless U.S. surveillance laws are resolved, Meta will need to fundamentally restructure its systems,” Schrems said in a statement Monday. The solution, he said, was likely a “federated social network” in which most personal data would remain in the EU except for “necessary” transfers, such as when a European sends a direct message to someone in the United States.
On Monday, Meta said it was unfairly singled out for data-sharing practices used by thousands of companies.
“Without the ability to transfer data across borders, the internet risks being split into national and regional silos, limiting the global economy and depriving citizens in different countries of access to many of the shared services we have come to rely on. trust,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement.
The ruling, a record fine under the GDPR, was expected. Last month, Susan Li, Meta’s chief financial officer, told investors that about 10 percent of global ad revenue came from ads delivered to Facebook users in EU countries. In 2022, Meta had sales of nearly $117 billion.
Meta and other companies are counting on a new data agreement between the United States and the European Union to replace the one that was declared invalid by European courts in 2020. Last year, President Biden and Ursula von der Leyen, the president of the European Union, announced the outlines of a deal in Brussels, but the details are still being negotiated.
Meta faces the prospect of having to delete large amounts of data on Facebook users in the European Union, said Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. That would pose technical difficulties given the interconnectedness of Internet companies.
“It’s hard to imagine how it can comply with this order,” said Mr Ryan, who has pushed for stronger data protection policies.
The decision against Meta falls almost exactly on the five-year anniversary of the GDPR. Initially held up as a model data privacy law, many civil society groups and privacy activists have said it has fallen short of its promise due to lack of enforcement.
Much of the criticism focused on a provision requiring regulators in the country where a company is headquartered in the European Union to enforce far-reaching privacy laws. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, has received the most attention.
On Monday, Irish authorities said they were being overruled by a council of representatives from EU countries. The board pushed for the €1.2 billion fine and forced Meta to address past data collected about users, including deletion.
“The unprecedented fine sends a strong signal to organizations that serious breaches have far-reaching consequences,” said Andrea Jelinek, the chair of the European Data Protection Board, the EU body that imposed the fine.
Meta has been a frequent target of regulators under the GDPR. In January, the company was fined €390 million for forcing users to accept personalized ads as a condition of using Facebook. In November, it was fined €265 million for a data breach.