Meta on Monday was fined a record €1.2 billion ($1.3 billion) and ordered to stop transferring data collected from Facebook users in Europe to the US, in a major ruling against the social media company for violating European Union data protection rules.
The penalty, announced by Ireland’s Data Protection Commission, is potentially one of the most consequential in the five years since the EU enacted the landmark data privacy law known as the General Data Protection Regulation. Regulators said the company failed to comply with a 2020 decision by the EU’s highest court that data shipped across the Atlantic was not sufficiently protected from American spy agencies.
The ruling announced on Monday applies only to Facebook and not Instagram and WhatsApp, which Meta also owns. Meta said it would appeal the decision and that there would be no immediate disruption to Facebook’s service in the EU.
Several steps remain before the company must cordon off the data of Facebook users in Europe — information that could include photos, friend connections, direct messages and data collected for targeting advertising. The ruling comes with a grace period of at least five months for Meta to comply. And the company’s appeal will set up a potentially lengthy legal process.
EU and American officials are negotiating a new data-sharing pact that would provide legal protections for Meta to continue moving information about users between the US and Europe. A preliminary deal was announced last year.
Yet the EU decision shows how government policies are upending the borderless way that data has traditionally moved. As a result of data-protection rules, national security laws and other regulations, companies are increasingly being pushed to store data within the country where it is collected, rather than allowing it to move freely to data centres around the world.
The case against Meta stems from US policies that give intelligence agencies the ability to intercept communications from abroad, including digital correspondence. In 2020, an Austrian privacy activist, Max Schrems, won a lawsuit to invalidate a US-EU pact, known as Privacy Shield, that had allowed Facebook and other companies to move data between the two regions. The European Court of Justice said the risk of US snooping violated the fundamental rights of European users.
New York Times News Service