Meta fined $1.3 billion for privacy breaches

LONDON –

The European Union on Monday slapped Meta with a record $1.3 billion privacy fine and ordered it to stop transferring users’ personal information across the Atlantic by October, the latest salvo of a decade-long case sparked by fears of cyber espionage in the United States.

The €1.2 billion fine is the biggest since the EU’s strict data privacy regime came into effect five years ago, topping Amazon’s €746 million fine in 2021 for breach of data protection.

Meta, which previously warned that services for its users in Europe could be cut, pledged to appeal and ask the courts to immediately suspend the decision.

The company said “there is no immediate disruption to Facebook in Europe.” The decision applies to user data such as names, email and IP addresses, messages, viewing history, geolocation data and other information that Meta – and other internet giants technology like Google – use for targeted online advertisements.

“This decision is flawed, unwarranted and sets a dangerous precedent for the countless other companies that move data between the EU and the US,” said Nick Clegg, president of global affairs at Meta, and chief legal officer Jennifer Newstead in a statement.

It’s yet another twist in a legal battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following revelations from the former National Security Agency contractor Edward Snowden on electronic surveillance by US security agencies. This included the revelation that Facebook had given agencies access to Europeans’ personal data.

The saga has highlighted the conflict between Washington and Brussels over the differences between Europe’s strict view on data privacy and the relatively lax regime in the United States, which has no federal privacy law. The EU has been a world leader in harnessing the power of Big Tech with a series of regulations requiring them to more strictly monitor their platforms and protect users’ personal information.

An agreement covering data transfers between the EU and the US, known as the Privacy Shield, was struck down in 2020 by the EU’s top court, which said it did not. not enough to protect residents from the electronic indiscretions of the US government. Monday’s ruling confirmed that another tool to govern data transfers – statutory stock contracts – was also invalid.

Brussels and Washington signed an agreement last year on a reworked Privacy Shield that Meta could use, but the pact awaits a decision from European officials on adequate data privacy protections.

EU institutions have scrutinized the deal and lawmakers in the bloc this month called for improvements, saying the safeguards are not strong enough.

The Irish Data Protection Commission imposed the fine as Meta’s main privacy regulator in the 27-nation bloc because the Silicon Valley tech giant’s European headquarters are based in Dublin.

The Irish watchdog said it had given Meta five months to stop sending European user data to the United States and six months to bring its data operations into compliance “by ceasing unlawful processing, including including storage, in the United States” of personal data of European users transferred in violation of the bloc’s privacy rules.

In other words, Meta has to erase all that data, which could be a bigger problem than the fine, said Johnny Ryan, senior researcher at the Irish Council for Civil Liberties, a nonprofit rights group. lucrative who has worked on digital and data issues.

“This order to delete data is really a headache for Meta,” Ryan said. If the company has to cleanse the data of hundreds of millions of users in the European Union for 10 years, “it is very difficult to see how it will be able to comply with this order”.

If a new transatlantic confidentiality agreement takes effect before the deadlines, “our services can continue as they do today without any disruption or impact on users,” Meta said.

Schrems predicted that Meta had “no real chance” of materially overturning the decision. And a new privacy pact might not mean the end of Meta’s troubles, as there is a good chance it will be thrown out by the EU’s highest court, he said.

“Meta plans to rely on the new deal for future transfers, but it’s likely not a permanent solution,” Schrems said in a statement. “Unless US surveillance laws are fixed, Meta will likely have to keep EU data in the EU.”

Schrems said one possible solution could be a “federated” social network, where European data stays in Meta’s data centers in Europe, “unless users are chatting with, say, an American friend.”

Meta warned in its latest earnings report that without a legal basis for data transfers, it would be forced to cease offering its products and services in Europe, “which would materially and adversely affect our business, financial condition and operating results”.

The social media company could face a costly and complex overhaul of its operations if it is eventually forced to stop the transfers. Meta has a fleet of 21 data centers, according to its website, but 17 of them are in the United States. Three others are in the European nations of Denmark, Ireland and Sweden. Another is in Singapore.

Other social media giants are under pressure on their data practices. TikTok has tried to allay Western fears about potential cybersecurity risks from China’s short-video sharing app with a $1.5 billion project to store US users’ data on Oracle servers.