The European Union issued Meta a record $1.3 billion privacy violation fine on Monday and told it to stop sending user data over the Atlantic by October, the latest shot in a dispute that has lasted ten years and was initially spurred by concerns about American cyber snooping.
The sum of 1.2 billion euros surpasses Amazon’s 746 million euro penalties for data protection crimes in 2021 as the largest since the rigorous EU data privacy system went into effect five years ago.
After previously expressing concern that its users in Europe would lose access to its services, Meta vowed to file an appeal and request that the ruling be immediately stayed.
Facebook in Europe is not currently experiencing any disturbance, according to the firm.
“This decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and the U.S.,” said Jennifer Newstead, chief legal officer at Meta, and Nick Clegg, president of worldwide corporate affairs.
It’s the latest development in a legal battle that started in 2013 after Austrian lawyer and privacy activist Max Schrems complained about how Facebook handled his data in the wake of Edward Snowden’s revelations about electronic surveillance by U.S. security agencies. This included the admission that Facebook had given the authorities access to Europeans’ personal information.
The drama has brought to light the conflict between Washington and Brussels on the disparities between Europe’s strict stance on data privacy and the United States relatively lax enforcement of its own laws because it does not have a federal privacy statute. With a number of laws requiring Big Tech to police their platforms more closely and protect users’ personal information, the EU has been a global leader in limiting its dominance.
The EU’s top court invalidated the Privacy Shield; an agreement governing data transfers between the EU and the US, in 2020 because it didn’t go far enough to shield citizens from electronic snooping by the US government. The judgment on Monday established the invalidity of stock legal contracts, another measure used to regulate data transfers.
Last year, Brussels and Washington agreed to a revised Privacy Shield that Meta might utilize, but the agreement is still pending European officials’ judgment on whether it provides appropriate data privacy protection.
The accord has been under review by EU institutions, and last month, MPs from the union demanded revisions, claiming the safeguards are insufficient.
Because the European offices of the Silicon Valley software giant are located in Dublin, Ireland’s Data Protection Commission served as Meta’s principal privacy authority in the 27-nation bloc and imposed the penalties.
The Irish privacy watchdog stated that it gave Meta five months to stop transferring European users’ personal data to the U.S. and six months to bring its data operations into compliance “by ceasing the unlawful processing, including storage, in the U.S.” of European users’ personal data transferred in violation of the bloc’s privacy laws.
If the new transatlantic privacy agreement is in place before these dates, “our services can continue as they do today without any disruption or impact on users,” according to Meta.
Schrems asserted that Meta had “no real chance” of successfully appealing the ruling. A new privacy agreement might not be the end of Meta’s problems though, according to him, as there is a significant probability that the EU’s top court would reject it.
Schrems stated in a statement that “Meta plans to rely on the new deal for transfers going forward, but this is probably not a permanent fix.” “Meta will probably have to keep EU data in the EU unless U.S. surveillance laws get fixed.”
Without a legal foundation for data transfers, Meta was forewarned in its most recent earnings report that it would have to discontinue selling its goods and services in Europe, “which would materially and adversely affect our business, financial condition, and results of operations.”
If the social media corporation is compelled to stop sending user data over the Atlantic, it may have to undergo an expensive and complicated overhaul of its operations. According to its website, Meta operates a fleet of 21 data centers, but only 17 of them are located in the United States. Sweden, Denmark, and Ireland are all European countries that contain three more. Singapore is home to another.
Pressure over their data practices is mounting on other social media behemoths. TikTok has undertaken a $1.5 billion endeavor to store user data from American users on Oracle servers in an effort to allay Western concerns about the short video-sharing app’s possible cybersecurity threats.
