Facebook parent company Meta received a record-breaking $1.3 billion fine in Europe (€1.2 billion) following a privacy violation that regulators have been investigating for a decade. It involves the transfer of Facebook data belonging to European Union users to the US. The EU started looking into the company's data transfer practices in 2013, following the Edward Snowden revelations.
The EU action comes just months ahead of a new planned data transfer deal between the US and the EU. Unsurprisingly, Meta is contesting the fine.
Ireland's Data Protection Commission (DPC) announced the fine on Monday. Here's the EU decision. The previous record was a fine similar grounds belonged to Amazon. The retailer was hit with a €746 million ($807 million) fine in 2021, per The Verge.
The EU worries that the Facebook data transfers in question expose its citizens to privacy violations and violate GDPR. The data transfers were protected by a US-EU pact called the Privacy Shield. But the EU's top courts found that the pact did not actually shield EU citizens. US surveillance programs could still collect data.
According to the new ruling, Meta also has to stop transferring EU data to the US.
Austrian lawyer Max Schrems started this legal battle against Facebook in 2013 when the world discovered the Snowden revelations. The 2020 ruling came in response to Schrems's claims. Commenting on Meta's new fine, the lawyer said Meta faced a much higher fine of up to €4 billion:
We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.
Schrems also said he expects Meta to appeal the decision but that a win for the company in the case is unlikely. "Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit."
Meta, of course, is in a position where it can afford to pay such hefty privacy fines. "A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally," Johnny Ryan told The Guardian. Ryan is a senior fellow at the Irish Council for Civil Liberties.
Per the same Guardian report, the EU has already fined Meta nearly €1 billion ($1.08 billion) since September 2021 for other privacy violations.
Meta's response to the EU fine is available at this link. The company thinks the fine is "unjustified and unnecessary," which is what we'd expect from Facebook to say, whatever its new name. Meta recently threatened to pull products like Facebook and Instagram from Europe if it couldn't get user data transfers to the US.
The company will appeal the fine and seek a stay on the ruling. Meta still needs to transfer data to the US, where it can process it. Data collection and processing allow Facebook to make more money from ads. Meta reported $28.6 billion in revenue during the March 2023 quarter. And Meta seems to be doing everything possible to track Facebook users, even if that means infringing privacy rules.
Meta has five months to stop the transfer of EU data. After six months, it can no longer hold that data in the US.
Fine and restrictions aside, Meta will soon be able to transfer user data to the US without having to worry about fines like this. The EU and the US are working on a new deal to cover such data transfers. That deal could be in place by October. Still, the new agreement can't protect the company from past offenses.