Meta fined record $1.3 billion for not meeting EU data privacy standards

Despite the massive penalty, little may change so long as US data law remains lax.
Facebook webpage showing unavailable account error message.

Ireland’s DPC has determined Facebook’s data transfer protocols to the US do not “address the risks to the fundamental rights and freedoms” of EU residents. Deposit Photos

Ireland’s Data Protection Commission (DPC) slapped Meta with a record-shattering $1.3 billion (€1.2 billion) fine Monday alongside an order to cease transferring EU users’ Facebook data to US servers. But despite the latest massive penalty, some legal experts warn little will likely change within Meta’s overall approach to data privacy as long as US digital protections remain lax.

The fine caps a saga initiated nearly decade ago thanks to whistleblower Edward Snowden’s damning reveal of American digital mass surveillance programs. Since then, data privacy law within the EU changed dramatically following the 2016 passage of its General Data Protection Regulations (GDPR). After years of legal back-and-forth in the EU, Ireland’s DPC has determined Facebook’s data transfer protocols to the US do not “address the risks to the fundamental rights and freedoms” of EU residents. In particular, the courts determined EU citizens’ information could be susceptible to US surveillance program scrapes, and thus violate the GDPR.

[Related: A massive data leak just cost Meta $275 million.]

User data underpins a massive percentage of revenue for tech companies like Meta, as it is employed to build highly detailed, targeted consumer profiles for advertising. Because of this, Meta has fought tooth-and-nail to maintain its ability to transfer global user data back to the US. In a statement attributed to Meta’s President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead, the company plans to immediately pursue a legal stay “given the harm that these orders would cause, including to the millions of people who use Facebook every day.” The Meta representatives also stated “no immediate disruption” would occur for European Facebook users.

As The Verge notes, there are a number of stipulations even if Meta’s attempt at a legal stay falls apart. Right at the outset, the DPC’s decision pertains only to Facebook, and not Meta’s other platforms such as WhatsApp and Instagram. Next, Meta has a five-month grace period to cease future data transfers alongside a six-month deadline to purge its current EU data held within the US. Finally, the EU and the US are in the midst of negotiations regarding a new data transfer deal that could finalize as soon as October.

[Related: EU fines Meta for forcing users to accept personalized ads.]

Regardless, even with the record-breaking fine, some policy experts are skeptical of the penalty’s influence on Meta’s data policy. Over the weekend, a senior fellow at the Irish Council for Civil Liberties told The Guardian that, “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally.” Although some states including California, Utah, and Colorado have passed their own privacy laws, comprehensive US protections remain stalled at the federal level.