Meta was fined a record-breaking $1.3 billion by EU regulators over the lack of data protection for European citizens. This battle started nearly 10 years ago in 2013 when former US National Security Agency contractor and whistleblower Edward Snowden outed the American authorities for frequently accessing people's personal information through tech companies.
- Facebook's owner, Meta, is now bearing the brunt of lax American privacy policies, its own incompetence, and a tussle between Washington and Brussels over data privacy.
- Reports say the fine is not a headache for Meta, which is estimated to be worth at least $640 billion. But the order to suspend US-EU data transfer is the bigger issue for the tech giant.
- Immediately, there will be no disruption to Facebook's operations in Europe. The decision pertains to user data such as name, email and IP address, messages, browsing history, geolocation data, and even financial information used for targetted online ads.
Why Meta was fined over a billion dollars?
- The fine was imposed by European Data Protection Board for violating the EU's General Data Protection Regulation (GDPR). The last highest fine imposed under GDPR was on Amazon for 746 million euros.
- For Meta, the $1.3 billion is not the highest fine imposed upon them. In 2019, the US FTC fined Facebook $5 billion.
- The EU case against Meta was brought by Austrian privacy activist Max Schrems who sued Facebook for failing to protect his privacy nearly a decade ago after Edward Snowden revealed American authorities' ways of accessing the data.
- Edward Snowden revealed that foreigners do not enjoy the privacy rights as American citizens in the US, leaving foreign persons' data stored in the country vulnerable to surveillance.
- For a long time, data transfers between the EU and the US were governed by an agreement that was struck down as invalid by the European Court of Justice in 2020.
- ECJ did allow companies to transfer data according to the standard contractual clauses (SCCs), however, with the latest fine it seems like Meta failed to adhere to the clauses.
What Meta has to say?
- Meta said that the decision to fine has been unjust and unnecessary. Furthermore, Meta also said that they were singled out.
… disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe. This decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and US.
- Nick Clegg, Facebook President, Global Affairs
- Meta said that they will appeal against the decision.
What now?
- Under the order, Meta has been given a five-month grace period to cease European data from being transferred and stored in the US.
- Meta has 21 data centers, 17 of which are in the US; three are in Europe and one is in Singapore.
- The biggest task for Meta is revamping its data transfer and storage operations, which is a costly affair. Moreover, Meta has to erase all the data stored for the past 10 years of European users on non-EU servers.
- Meta is counting on the new Data Privacy Framework (DPF) in talks between the US and the EU to be able to keep smooth operations on in the region instead of revamping its own operations.
- The new framework for data privacy is expected to be finalised "as quickly as possible" and likely by October. However, reports say it is unlikely to solve Meta's problems given that the US is unlikely to revamp its federal privacy policy for the data of foreigners that quickly.
While the fine and the decision are only limited to Meta's Facebook and not other platforms like Instagram and WhatsApp, it sets a precedent for all other foreign companies operating in the EU to strengthen how they deal with user data.
For Meta, transferring data to the US is crucial for its ad-targetting operations. In 2022, Meta warned EU policymakers that it would be forced to cease operations in the region if it is not allowed to transfer data across the Atlantic. EU had said then it would be Meta's loss.