The European Union has levied an astounding $1.3 billion (€1.2 billion) fine on Meta. Facebook’s parent company was then penalized for its failure to follow the EU’s privacy laws.
It’s the latest and harshest financial penalty ever levied on an American tech company by the EU. It’s also the largest fine ever levied under the EU’s General Data Protection Regulation (GDPR). The policy had already caught other major companies like Amazon and Google.
The severe ruling was then delivered by the Irish Data Protection Commission. The DPC is the main regulator for Meta in the EU. The company’s regional headquarters are now based in Dublin.
An investigation done by the Irish DPC showed Meta didn’t address certain issues. Especially the dangers associated with transferring data to the US. The DPC said these put at risk the basic rights and freedoms of the EU’s citizens.
The regulator also decreed that Meta must suspend any plans of transferring data. This ban will last for the next five months. The company was also told they have six months to halt the unlawful processing of personal data. This also includes storing the data of EU citizens residing in the U.S.
The suspension of data transfers wasn’t a surprise. Many experts were expecting that issue to come up again.
The probable impact of that threat has since become muted. This is due to the transition phase. It’s also dulled by the possibility of a new agreement on EU-US data flows. This deal could become operational by mid-year if all goes well.
Deeper Issues Behind the Ruling
There’s more to the DPC’s decision than meets the eye. Experts say it’s part of a bigger issue that’s been brewing between tech companies in the US and the EU. The two parties have contrasting ideas when it comes to cross-border data circulation.
Tech companies believe that it’s vital to have free passage of data across borders. They say it’s important to ensure a worldwide internet. Any attempts to curb the flow will fracture the web. It will also drive up costs.
Europe’s Court of Justice scrapped a data flow deal between the European Union and the US in 2020. The agreement’s cancellation was over the EU’s surveillance concerns. The group was wary of the surveillance practices of America’s intelligence agencies.
The issue and worries over data transfers aren’t new. It started in 2013. That's when Edward Snowden exposed the spying done by American intelligence gathering agencies.
Their worries might have merit but the decision has a big impact on businesses. Companies move large amounts of data. This is true regardless of the size of the business. Everything from marketing and sales to processing payroll is digital. The legal barriers stopping the flow of data risked the disruption of commerce. Businesses between Europe and the US would come to a halt.
European and US officials have been collaborating since then. They're working to develop a new data flow agreement. This is also expected to become finalized before the year ends.
The problem is America’s tech giants have been floating in legal limbo. They have been while a new agreement is being hammered. These companies have turned to alternative means to transfer data. This includes options like the Standard Contractual Clauses (SCCs). But the DPC discovered that Meta’s use of these contractual clauses were not enough. The SCCs were not able to lessen the dangers identified by the EU’s court.
The DPC did admit it disagreed with the heavy fine levied on Meta. But it was reportedly forced to push through with it. This was because of a decision made by the European Data Protection Board.
The DPC’s initial ruling was to suspend Facebook’s data flow. But this was then opposed by four regulators from the EDPB. They demanded that a fine must become imposed on Facebook.
The unexpected ruling on Meta comes as the GDPR marks its fifth anniversary. The regulation is now considered a benchmark. It has given the EU the capability to impose large fines since 2018. The group can even secure as much as 4% of a company’s annual revenue in fines. But this is only for the severe violations.
Meta Bites Back
The ruling by the Irish DPC was also addressed at length by Jennifer Newstead, Meta’s chief legal officer. Newstead decried the penalty imposed by the DPC. They said it's unjustified and flawed. They also stated that it set a dangerous example for many companies. They all transfer data between the US and the EU.
Meta said it would appeal the DPC’s decision. The company also stated it would request a suspension of the ban orders. Meta says this can cause problems for the millions of Facebook users who use the platform every day.
Meta spokesperson Nick Clegg also explained the dangers of curbing personal data transfer. He said in a blog post it could carve up the internet into different blocks. He said it could see the web divided into national and regional silos. Newstead then explained that this could also restrict the global economy. It will also leave users in different countries unable to access shared services.
Meta would have to file its appeal to the DPC in Ireland. It can also take months before a final determination is then made. Worse, it could take years. That’s the case with Amazon. The online retail giant appealed its GDPR fine. It was the highest penalty imposed at the time. That appeal is still ongoing in the courts of Luxembourg.