Facebook/Meta has just hit with a huge fine and a suspension order by the European Data Protection Board (EDPB) over its practice of exporting EU user data to its US offices, which is in violation of EU law.
Meta was anticipating this happening — even going so far as to warn investors in April that 10% of its global ad revenue could be at risk due to an EU regulation crackdown, per TechCrunch. But on Monday it became real, with the EDPB issuing a $1.3 billion (€1.2 billion) fine to the company, as well as issuing an immediate order that data flows to the US be halted. As TechCrunch reports, the EU agency has confirmed that this is its largest data-privacy fine to date, following an $887 million fine issued to Amazon two years ago.
Calling Meta's data flows "systematic, repetitive and continuous," the EDPB's chair Andrea Jelinek said in a statement, "The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences."
Meta, back when it was still called Facebook, was issued a $5 billion fine by the U.S. Federal Trade Commission back in 2019 over data privacy violations here at home.
With this fine, the company is vowing to appeal and to seek an immediate stay of the suspension of data flows, and a blog post from chief global affairs guy Nick Clegg and Chief Legal Officer Jennifer Newstead calls the fine "unjustified and unnecessary."
"The ability for data to be transferred across borders is fundamental to how the global open internet works," the execs say. "Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day... At a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet."
They also said "there is no immediate disruption to Facebook in Europe."
Meta frames the issue as a conflict between U.S. and EU privacy laws, and it points to the fact that the Irish Data Protection Commission had earlier issued smaller fines to Meta, and concluded they had acted in good faith despite the legal conflicts.
This conflict dates back a decade, to the wake of the Edward Snowden affair in 2013, when Austrian lawyer and privacy activist Max Schrems first filed a claim about how Facebook was using his data. As the Associated Press reports, "The saga has highlighted the clash between Washington and Brussels over the differences between Europe's strict view on data privacy and the comparatively lax regime in the U.S., which lacks a federal privacy law."
There is also just the logistical difficulties of retroactively scrubbing its servers of ten years worth of data on hundreds of millions of users in the EU, if it actually comes to that. Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, tells the AP, "This order to delete data is really a headache for Meta. [And] it is very hard to see how it will be able to comply with that order."
Clegg and Newstead say that "Policymakers in both the EU and the US are on a clear path to resolving this conflict" between US business practices and the EU's Data Privacy Framework.
"Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook while keeping their data safe and secure," the Meta execs say.
Photo: Justin Sullivan/Getty Images