The European Union fined Meta a record $1.3 billion on Monday after finding the Facebook parent broke its privacy laws by transferring user data from Europe to the United States — one of the most impactful penalties from the E.U. rules, which could have broad implications for American businesses.
The Irish Data Protection Commission said in a statement that Meta’s data transfers were in breach of the E.U.’s General Data Protection Regulation (GDPR), rules that restrict what companies can do with people’s personal data. It is the largest GDPR fine handed down by the bloc, surpassing the previous record of $887 million against Amazon, a penalty issued in 2021 by a European privacy regulator that the firm said it would appeal.
The ruling attracted widespread criticism from industry representatives, who argued that it exacerbates the legal uncertainty facing a wide range of companies who send data across international waters. The practice provides the backbone for everyday functions such as collaborating with colleagues in an international office and fulfilling orders to a global customer base.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the E.U. and U.S.,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement about the fine. They added there would be “no immediate disruption to Facebook in Europe.”
The move from the Irish Data Protection Commission is the latest development in a long-standing political and legal struggle to reconcile American laws on consumer data with European laws, which are more protective of online privacy and security.
In 2020, the Court of Justice of the European Union ruled that a commonly used data protection agreement, known as Privacy Shield, did not adequately uphold E.U. privacy law, which forced many companies to reconsider how they store and collect the data of European customers. But companies thought they could continue transferring data across borders legally through an alternative legal mechanism called Standard Contractual Clauses.
In March 2022, President Biden issued an executive order deploying a preliminary deal struck between Biden and E.U. leaders that created added checks on the collection of Europeans’ personal information by U.S. intelligence agencies and allowing them to seek redress if their data is unlawfully intercepted. The deal still needs final approval in the E.U.
“We expect that the EU-US Data Privacy Framework will be in place by the summer,” European Commission spokesperson Christian Wigand said in a statement. “This would provide the stability and legal certainty that companies look for, while ensuring strong protections for the privacy of individuals.”
Cross-border data transfers have become an integral part of the operations of a wide range of businesses, including tech platforms and agricultural businesses. Transferring data across international waters allows companies to analyze data from around world to predict market demand, receive and respond to customer questions, and manage their global supply chains.
Industry groups and companies have been urging officials to approve the framework to create legal clarity for companies who transfer data across borders. In the meantime, companies will likely rely on their existing standard contractual clauses, which E.U. regulators evaluate on a case-by-case basis, said Aaron Cooper, vice president of global policy at BSA the Software Alliance.
“The decision that was announced today is that it is crucial that that data privacy framework come into force because it’ll give certainty to companies [and] to individuals,” Cooper said in an interview.
“What often gets lost in the conversation is that data transfers are used in every sector of the economy on both sides of the Atlantic. And it has become a cornerstone of the way companies expand job opportunities.”
Peter Swire, a Georgia Institute of Technology professor who studies privacy and cybersecurity, said the United States still has to implement a few changes under the privacy framework before the E.U. can officially approve the deal. In the meantime, the Irish Data Protection Commission’s fine against Meta could have wide-ranging implications for the business sector, he said.
“Many other companies rely on the same standard contractual clauses that Facebook relied on,” said Swire, who served in both the Obama and Clinton administrations. “Today’s decision calls into question whether other companies have sufficient safeguards in place when they use these contracts.”
Sean Heather, senior vice president for international regulatory affairs and antitrust at the U.S. Chamber of Commerce, also said the new privacy framework between the United States and the E.U should resolve the legal uncertainty created by Ireland’s Data Protection Commission fine against Meta.
“This issue goes far beyond Meta,” he said in a statement. “The time has come for the United States and the European Union to operationalize this agreement quickly, returning certainty to data flows that underpin transatlantic economic ties, society, and our international cooperation.”
Meta has faced regulatory scrutiny over its privacy practices for more than a decade, including from the Federal Trade Commission in the United States. Monday’s fine is far smaller than the $5 billion settlement that the company reached with the FTC in 2019 over its alleged mishandling of user data, ending an investigation that began in the wake of the Cambridge Analytica scandal.
That record-breaking fine marked a historic censure of a major tech company, but it was largely shrugged off by investors. The company’s critics in Congress said the penalty did not go far enough, calling it a “Christmas present” and a “mosquito bite” for the tech behemoth. Yet the FTC settlement is a harbinger of how government penalties can inflict more than financial pain on a company.
Under its agreement with the FTC, Meta had to launch privacy reviews of every new product or change to its service, and document how those changes affect users. The company also had to submit to third-party privacy audits for 20 years and appoint compliance officers and create a new committee within its board of directors to oversee privacy decisions.
Under Monday’s ruling, Meta will have five months create a system to halt all future transfers of personal data to the United States and six months to stop “the unlawful processing, including storage, in the U.S. of personal data of E.U./EEA users transferred in violation of the GDPR.”
The Data Protection Commission began the inquiry into Meta’s data-sharing practices in August 2020. The body determined earlier this month that Meta ran afoul of Article 46(1) of the GDPR — which allows tech companies under certain conditions to transfer personal data from the E.U. “to a third country or an international organisation” only if they provide “appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
The commission ruled that Meta violated the article “when it continued to transfer personal data from the E.U./EEA to the USA” after the 2020 ruling by the Court of Justice of the European Union that invalidated the Privacy Shield agreement.