Meta was fined 1.2 billion euros ($1.3 billion) on Monday in a major ruling against the social media giant for violating European Union data protection rules.
The fine, announced by Ireland’s data protection authority, is one of the most consequential in the five years since the European Union enacted key data privacy legislation known as the General Data Protection Regulation. Regulators said the company failed to follow a 2020 ruling by the EU’s top court that data sent across the Atlantic was not adequately protected from US spy agencies.
The ruling announced on Monday applies only to Facebook, not Instagram and WhatsApp, which are also owned by Meta. Meta said it will appeal the decision and that there will be no immediate disruption to Facebook’s service in the European Union.
There are several steps before the company freezes Facebook users’ data in Europe – including photos, friend links, direct messages and data collected for targeted advertising. The ruling comes with a minimum five-month grace period to comply with META. And the company’s appeal will set off a lengthy legal process.
Meta could avoid a new data-sharing agreement that would give Meta and other companies legal safeguards to move information between the US and Europe if EU and US authorities create a new data-sharing agreement. A preliminary agreement for this was announced last year.
The EU decision shows how government policies are improving the seamless way data has traditionally moved. As a result of data-protection rules, national security laws and other regulations, companies are forced to store data within the country where it is collected, rather than allowing it to move freely to data centers around the world.
The case against Meta stems from US policies that give intelligence agencies the ability to intercept communications from abroad, including digital correspondence. In 2020, Austrian privacy activist Max Schrems won a case to invalidate the US-EU agreement known as the Privacy Shield, which allowed Facebook and other companies to move data between the two regions. The European Court held that the risk of US snooping violated the fundamental rights of European users.
“Unless US surveillance laws are fixed, Meta will have to fundamentally restructure its systems,” Mr. Schrems said in a statement on Monday. The solution, he said, is an “integrated social network” in which most personal data remains in the EU except for “necessary” transfers, such as a European sending a direct message to someone in the US.
On Monday, Meta said it was being unfairly singled out for data-sharing practices used by thousands of companies.
“Without the ability to move data across borders, the internet will be carved into national and regional silos, constraining the global economy and leaving citizens in different countries unable to access many of the shared services we rely on,” said Nick Clegg. , Meta’s president of global affairs and chief legal officer Jennifer Newsted said in a statement.
The Rule, which is a fine filed under the General Data Protection Regulation, or GDPR, has the potential to cripple Facebook’s business in Europe, particularly affecting the company’s ability to target ads. Last month, Meta’s chief financial officer Susan Li told investors that about 10 percent of its global ad revenue came from ads served to Facebook users in EU countries. In 2022, there was Meta Nearly $117 billion in revenue.
Meta and other companies are counting on a new data deal between the US and the EU to replace the deal invalidated by European courts in 2020. Last year, President Biden and European Union President Ursula van der Leyen announced Outlines of an agreement in Brussels, but details are still being negotiated.
Without an agreement, the ruling against Meta shows the legal risks companies face in moving data between the EU and the US.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, said Meta faces the prospect of having to delete vast amounts of data about Facebook users in the European Union. Given the interconnected nature of Internet companies this presents technical challenges.
Advocating for strong data protection policies, Mr. “It’s hard to imagine how this order would be complied with,” Ryan said.
The decision against Meta comes on the five-year anniversary of GDPR, which was initially a model data privacy law that many civil society groups and privacy activists said fell short of its promise due to a lack of enforcement.
Much of the criticism has focused on a provision that requires regulators to implement far-reaching privacy law in the country where a company has its EU headquarters. Home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, Ireland has come under much scrutiny.
On Monday, Irish officials said they had been breached by a panel made up of representatives from EU countries. The group demanded a fine of 1.2 billion euros and forced Meta to hand over past data collected about users, including deletion.
“The unprecedented fine is a strong signal to companies that serious breaches can have long-term consequences,” said Andrea Jelinek, president of the European Data Protection Board, the EU body that imposed the fines.
Meta is a frequent target of regulators under the GDPR, and in January, the company was fined €390 million for forcing users to accept personalized ads as a condition of using Facebook. In November, it was fined another 265 million euros for data leaks.
