Meta hit with $1.3 billion fine over Facebook's EU-US data transfers

Regulators say Meta put EU citizens' data at risk


The EU has issued a record-breaking €1.2 billion ($1.3 billion) fine to Facebook owner Meta over data transfers. After a lengthy investigation, officials found the social network’s practice of moving EU citizens' data to US-based servers was in violation of the bloc’s key digital privacy rules. In a statement, Ireland’s Data Protection Commission said that while Meta had attempted to address potential legal hurdles, “these arrangements did not address the risks to the fundamental rights and freedoms of data subjects” in the Union.

This is the latest chapter in a saga that has now run for more than a decade examining how EU citizens’ private data is handled by Big Tech. Put simply, European privacy law is thought to be a lot tighter than its American counterpart, especially with a focus on individual rights. But any big tech company with servers all around the world has the ability to move data from one server to another without much effort. That means that an EU citizens’ data could be sent to the US, where such stringent privacy laws don’t apply, opening the door for unnecessary surveillance.

It’s something that the EU, often pushed into action by Austrian lawyer and privacy activist Max Schrems, has been working to address. Schrems found the existing Safe Harbor provisions to be insufficient, something that the Court of Justice of the European Union agreed with. So, the bloc worked with the US on the EU-US Privacy Shield, which was meant to tighten data controls when information was pushed between the two territories. Naturally, that was similarly ruled invalid by the European Court of Justice, leading to further contortions as Facebook and others said that their businesses, for reasons known only to them, wouldn’t function without this data transfer.

As part of the decision, Ireland’s Data Protection Commission has ordered Meta to suspend any future data transfers of EU citizen data to the US within the next five months. It will also have to work to bring its operations “into compliance” with the GDPR, including any processing of EU citizens’ data on US servers, within the next six months. This will likely, however, be appealed and held up as a consequence of a wider political negotiation between the EU and the US as they look to agree a new framework to permit these data flows in a safe(r) way.

Sir Nick Clegg, Meta’s president of global affairs, has written in his usual style that the company will appeal the fine, and the decision, saying that Facebook acted in good faith. He added that cross-border data flows are vital for many businesses, not just his own, and that he is “disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.”