|A Landmark Ruling Shakes the Tech World
Meta, the parent company of Facebook, has been handed a historic fine of $1.3 billion by European Union data protection regulators for the unlawful transfer of personal data belonging to users in the region to the United States.
The European Data Protection Board (EDPB) has issued a binding decision, ordering the social media giant to bring its data transfers in line with the General Data Protection Regulation (GDPR) and to delete unlawfully stored and processed data within a period of six months.
In addition, Meta has been given five months to suspend any future transfers of Facebook users’ data to the United States. However, this order does not apply to Instagram and WhatsApp, both of which are owned by Meta.
EDPB Chair Andrea Jelinek stated that the infringement committed by Meta IE is considered extremely serious, as it involves systematic, repetitive, and continuous transfers of data. She emphasized that Facebook’s substantial user base in Europe results in a massive volume of personal data being transferred, and the unprecedented fine serves as a strong signal that severe infringements carry significant consequences for organizations.
European data protection authorities have repeatedly highlighted the absence of privacy protections equivalent to the GDPR in the United States. This raises concerns that European data, when transmitted to servers located in the U.S., could potentially be accessed by American intelligence services.
The ruling stems from a legal complaint filed nearly a decade ago in June 2013 by Austrian privacy activist Maximilian Schrems, the founder of NOYB. Schrems voiced concerns about the lack of adequate protection for EU user data against U.S. intelligence agencies when transferred across the Atlantic.
Schrems suggested that the most straightforward resolution would involve imposing reasonable limitations on U.S. surveillance laws. He argued that both sides of the Atlantic recognize the need for probable cause and judicial approval of surveillance and that it is time to extend these fundamental protections to EU customers of U.S. cloud providers. Schrems further noted that any other major U.S. cloud provider, such as Amazon, Google, or Microsoft, could face a similar decision under EU law.
Meta intends to rely on a new data transfer agreement for future transfers. However, Schrems expressed skepticism about the longevity of this solution, stating that there is only a small chance of the agreement surviving scrutiny by the Court of Justice of the European Union (CJEU). He emphasized that unless U.S. surveillance laws undergo substantial revisions, Meta will likely need to store EU data within the EU.
Schrems also accused the Irish Data Protection Commission (DPC) of consistently obstructing the progression of the case and attempting to shield Meta from fines and the requirement to delete transferred data. Both of these actions were overturned by the EDPB.
Meta has announced its intention to appeal the ruling, describing the fine as “unjustified and unnecessary.” The company argues that a fundamental conflict of law exists between the U.S. government’s data access rules and European privacy rights.
- Meta’s representatives, Nick Clegg and Jennifer Newstead, also warned about the potential consequences of restricting data transfers across borders. They stated that without cross-border data transfers, the internet may be fragmented into national or regional silos, hampering the global economy and limiting access to shared services for citizens in different countries.
- Last year, Meta cautioned that if ordered to suspend transfers to the U.S., it might be compelled to cease offering several significant products and services in the European Union. A new trans-Atlantic data transfer agreement is expected to be finalized later this year as a replacement for the Privacy Shield, according to the Wall Street Journal.
The $1.3 billion fine is the largest ever imposed under the GDPR privacy laws of the European Union, surpassing the €746 million ($886.6 million at the time) fine previously imposed on Amazon in July 2021 for similar