Meta has been hit with a record $1.3 billion fine by the European Union for breaching data transfer laws.
What happened. Facebook transferred the data of EU citizens to the U.S., violating the EU’s General Data Protection Regulation (GDPR), according to the Irish Data Protection Commission. Meta’s European headquarters are in Dublin.
What the ruling means for Meta. Meta has been given five months to stop future transfers of personal data to the U.S. and six months to cease unlawful processing and storage of EU/EEA users’ data in the U.S., according to the ruling.
Why we care. If the ruling is put in place, Facebook would have to delete a huge amount of data and restructure its IT systems at a very fundamental level. It also would have enormous implications for any company transferring data between the two areas.
Only Facebook. The decision applies only to Facebook and not other Meta-owned platforms (e.g., Instagram).
What Meta is saying. The company plans to appeal, Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement:
- “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.”
A conflict of laws. The best hope for staying the ruling is a new data transfer treaty between the U.S. and the EU.
Until 2020, these transfers were protected by the Privacy Shield treaty between the two governments. That year the EU’s highest court invalidated the treaty by ruling it did not sufficiently protect EU citizens’ data from American spy agencies.
Negotiations have been underway since the high court’s ruling. Last year, President Biden and Ursula von der Leyen, the president of the European Union, announced the outlines of a deal, but the details are still being hammered out.
This decision may increase the pressure on the U.S. to get it done. However, the complexity of the issues makes it difficult to move quickly.