Meta Fined $1.3B Over Data Transfers to U.S.

Facebook owner Meta Platforms was fined $1.3 billion by European Union regulators for sending user information to the U.S., a record privacy penalty for the bloc.

Source: WSJ | Published on May 22, 2023

Meta EU data privacy

Facebook owner Meta Platforms was fined $1.3 billion by European Union regulators for sending user information to the U.S., a record privacy penalty for the bloc.

The ruling raises pressure on the U.S. government to complete a deal that would allow Meta and thousands of multinational companies to keep sending such information stateside.

Tech companies have been especially vulnerable to regulatory scrutiny absent such a deal. But most large international companies rely on a relatively free flow of data across the Atlantic, and the steep fine for Meta highlights the regulatory challenges that have mounted since a previous data-transfer deal was overturned by European courts in 2020.

Meta’s top privacy regulator in the EU said in its decision Monday that Facebook has for years illegally stored data about European users on its servers in the U.S., where it contends the information could be accessed by American spy agencies without sufficient means for users to appeal.

The 1.2-billion-euro fine surpasses the previous record of €746 million, or $806 million, under the General Data Protection Regulation against Amazon in Luxembourg in 2021 for privacy violations related to its advertising business. The company has appealed that decision in Luxembourg courts.

In addition to imposing a fine, Monday’s decision also orders Meta to stop sending information about European Facebook users to the U.S., and delete data already sent, within about six months. The decision, though—said Meta—could avoid those orders if Washington completes a trans-Atlantic agreement with the EU to allow data transfers before then.

Meta said it would appeal the ruling and seek a stay to delay its suspension orders. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Meta said in a blog post responding to the decision.

Meta, alongside many other U.S.-based tech companies, moves data from Europe to the U.S., where the company operates its main data centers to offer its services.

In the absence of the ability to store data about users in the U.S., Meta could try to re-engineer its systems to keep much of Europeans’ personal information in Europe, but such a project would be extremely complex, people close to the company have said. Meta has said in securities filings that if ordered to suspend transfers, it may have to stop offering services in the EU, where it has declared it has more than 255 million Facebook users. The broader European region accounts for nearly a quarter of Meta’s revenue.

Meta said it welcomes progress that EU and U.S. policy makers have made on completing a new trans-Atlantic data deal, which it says is important for companies far beyond Facebook.

Ireland’s Data Protection Commission issued Monday’s fine and order because it leads the enforcement of the EU’s GDPR for Meta, which has its European headquarters in Dublin.

The fine and suspension order are the biggest step that EU regulators have taken thus far to enforce a 2020 ruling about data transfers from the bloc’s top court. That ruling restricted how companies such as Meta can send personal information about Europeans to U.S. soil, because it found that Europeans have no effective legal way to challenge American government surveillance.

That case, filed by privacy activist Max Schrems, was the second time in a decade that a trans-Atlantic EU-U.S. data deal was struck down over questions of surveillance.

The U.S. has said its surveillance practices are proportionate but has also moved to give Europeans more ability to challenge them in an effort to bridge the gap with the EU.

While Monday’s decision covers only Facebook, not Meta’s other properties, the issues underlying it affect Meta’s other units—as well as thousands of other multinational companies that store or access data about Europeans from computers inside the U.S.

Without a U.S.-EU deal, big tech companies as well as other companies that use their services, could find themselves the targets of EU privacy investigations of their own, aimed at ordering them to suspend data flows to the U.S. Hanging in the balance are tens if not hundreds of billions of dollars in trade in industries such as advertising, artificial intelligence, human resources and cloud services.

Tech companies are particularly affected because the 2020 EU court ruling is focused in part on surveillance powers in Section 702 of the U.S.’s Foreign Intelligence Surveillance Act, which can compel electronic communications providers to turn over information on their users.

The U.S. and EU have been trying to fix a hole left by the 2020 court decision by creating a new trans-Atlantic data deal. Under that deal, first agreed in principle in 2022, the EU would lift many of the restrictions on companies sending data to the U.S., provided the U.S. addressed the concerns raised by the EU court—for instance by giving Europeans new rights to appeal surveillance.

The replacement deal still hasn’t been officially completed by EU officials because they say the U.S. government hasn’t fully implemented its end of the bargain. At the same time, some European politicians have said they think the deal should be further renegotiated.

A spokesman for the European Commission, the EU’s executive body, said the bloc is completing its framework for data protection between the U.S. and EU and expects it to be in place by the summer.

“This will guarantee stability and legal certainty sought by businesses, and will also guarantee strict protection of the private lives of citizens,” the spokesman said.

Tech companies have in particular called on the U.S. to implement its end of the deal, and for Europe to swiftly approve it. “Data flows between the EU and U.S. make up the busiest internet route in the world, and are vital to trans-Atlantic trade,” said the Washington, D.C.-based Computer & Communications Industry Association.

Monday’s decision gives Meta six months to bring its handling of European Facebook users’ data into compliance with the GDPR’s data-transfer rules, the people said. A completed data transfer agreement between the EU and U.S. would allow the company to satisfy that requirement, the decision suggests. But such a deal wouldn’t erase the €1.2 billion fine, which covers past transfers.

Ireland’s Data Protection Commission is planning to issue Monday’s decision after years of delay, in part from court challenges that Meta launched against a 2020 draft order for Meta to suspend its transfers. A board representing all privacy regulators in the bloc last month ordered the Irish regulator to add a significant fine and broaden the scope of the suspension after objections from other EU regulators.

“Facebook has millions of users in Europe, so the volume of personal data transferred is massive,” said Andrea Jelinek, chair of the board of EU privacy regulators. “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”