Meta was fined 1.2 billion euros ($1.3 billion) on Monday in a major ruling against the social media giant for violating European Union data protection rules.
The fine, announced by Ireland’s data protection authority, is one of the most consequential in the five years since the European Union enacted key data privacy legislation known as the General Data Protection Regulation. Regulators said the company failed to follow a 2020 ruling by the EU’s top court that Facebook data sent across the Atlantic was insufficiently protected from US spy agencies.
But it’s not clear if or when Meta will turn around Facebook users’ data in Europe. Meta said it would appeal the decision, setting off a lengthy legal process.
At the same time, EU and US officials Meta and several other companies are negotiating a new data-sharing deal that would give them legal protections for moving information between the U.S. and Europe — a deal that could overturn Monday’s EU ruling. A preliminary agreement for this was announced last year.
The ruling, which comes with at least five months for Meta to comply, applies only to Facebook, not Instagram and WhatsApp, owned by Meta. The company said there will be no immediate disruption to Facebook’s service in the European Union.
However, the EU decision shows how government policies are improving the borderless way in which data has traditionally moved. As a result of data-protection rules, national security laws and other regulations, companies are forced to store data within the country where it is collected, rather than allowing it to move freely to data centers around the world.
The case against Meta stems from US policies that give intelligence agencies the ability to intercept communications from abroad, including digital correspondence. In 2020, Austrian privacy activist Max Schrems won a case to invalidate the US-EU agreement known as the Privacy Shield, which allowed Facebook and other companies to move data between the two regions. The European Court held that the risk of US snooping violated the fundamental rights of European users.
“Unless US surveillance laws are fixed, Meta will have to fundamentally restructure its systems,” Mr. Schrems said in a statement on Monday. The solution, he said, is an “integrated social network” in which most personal data remains in the EU except for “necessary” transfers, such as a European sending a direct message to someone in the US.
On Monday, Meta said it was being unfairly singled out for data-sharing practices used by thousands of companies.
“Without the ability to move data across borders, the internet will be carved up into national and regional silos, constraining the global economy and leaving citizens in different countries unable to access many of the shared services we rely on,” said Nick Clegg. , Meta’s president of global affairs and the company’s chief legal officer, Jennifer G. Newstead said in a statement.
The Rule, which could result in fines registered under the General Data Protection Regulation or GDPR, affecting data related to photos, friend links and direct messages stored by Meta. This has the potential to crush Facebook’s business in Europe, particularly affecting the company’s ability to target ads. Last month, Meta’s chief financial officer, Susan Li, told investors that about 10 percent of its global ad revenue came from ads served to Facebook users in EU countries. In 2022, there was Meta Nearly $117 billion in revenue.
Meta and other companies are counting on a new data deal between the US and the EU to replace the deal invalidated by European courts in 2020. Last year, President Biden and European Commission President Ursula van der Leyen made the announcement. Outlines of an agreement in Brussels, but details are still being negotiated.
Without an agreement, the ruling against Meta shows the legal risks companies face in moving data between the EU and the US.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, said Meta faces the prospect of deleting vast amounts of data about Facebook users in the European Union. Given the interconnected nature of Internet companies this presents technical challenges.
Advocating for strong data protection policies, Mr. “It’s hard to imagine how this order would be complied with,” Ryan said.
The decision against Meta comes on the five-year anniversary of GDPR, which was initially a model data privacy law that many civil society groups and privacy activists said fell short of its promise due to a lack of enforcement.
Much of the criticism has focused on a provision that requires regulators to implement far-reaching privacy law in the country where a company has its EU headquarters. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, has come under much scrutiny.
On Monday, Irish officials said they had been breached by a panel made up of representatives from EU countries. The group demanded a fine of 1.2 billion euros and forced Meta to disclose past data collected about users.
“The unprecedented fine is a strong signal to companies that serious breaches can have long-term consequences,” said Andrea Jelinek, president of the European Data Protection Board, the EU body that imposed the fines.
Meta is a frequent target of regulators under the GDPR, and in January, the company was fined €390 million for forcing users to accept personalized ads as a condition of using Facebook. In November, it was fined another 265 million euros for data leaks.
