EU Hits Meta With Billion-Dollar Fine for Failing to Secure Users’ Facebook Data

Meta has six months to get the data of European Facebook users off its US servers and owes the European Union €1.2 billion ($1.3 billion) under a decision announced Monday(Opens in a new window) by the European Data Protection Board (EDPB).

The board’s 222-page decision (PDF(Opens in a new window)) focuses less on what Meta’s Irish subsidiary, which runs its European operations, has done with the information of EU Facebook users and more on what it can’t do to safeguard that data from the curiosity of the National Security Agency. 

The EDPB held that the latter shortfall violates a core principle of the General Data Protection Regulation(Opens in a new window), the vast set of privacy rules that went into effect five years ago. Firms doing business in the EU cannot transfer people’s data out of it without securing “appropriate safeguards” that include “enforceable data subject rights and effective legal remedies.” 

As Irish data protection commissioner Helen Dixon summarized in the EDPB ruling, Facebook “does not have in place supplemental measures which compensate for the inadequate protection provided by US law.”

That’s been an existential issue for US tech firms with transatlantic operations ever since Edward Snowden’s 2013 revelations of bulk surveillance by the NSA. It led to a complaint filed with the EU by Austrian privacy activist Maximillian Schrems that Facebook had left his information exposed to US surveillance agencies. In 2015, the Court of Justice of the European Union agreed with him and struck down a 2000-vintage “Safe Harbor” agreement between the US and the EU that authorized transatlantic data flows.

A revised Privacy Shield agreement meant to address that ruling itself got thrown out(Opens in a new window) by the CJEU in 2020 after Schrems renewed his complaint. That led to the US and the EU inking a revised framework last May that President Biden approved with an October executive order that will create an appeals process for European citizens who think US intelligence agencies collected their information either in violation of US law or the new framework’s privacy principles.

But governments on each side of the Atlantic have yet to finish implementing this new deal. Reuters reports(Opens in a new window) that a European Commission spokesman told journalists that the EC will complete that work by this summer, so the court ruled it was not relevant in this case. 

The billion-dollar penalty assessed against Meta’s Irish subsidiary, from which it runs its EU operations, falls short of the Federal Trade Commission’s $5 billion fine of Facebook in 2019 for its deceptive conduct in the Cambridge Analytica scandal. 

In addition to the six-month deadline to delete EU users’ information from US servers, the decision gives Meta five months to stop data transfers to the US. But the EDPB essentially ordering Facebook to firewall that data presents a much larger problem. In a Monday statement(Opens in a new window), Facebook said those orders would break its service, and vowed to appeal the ruling.  

“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” wrote Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer.

That statement also noted that the EU’s decision (which does not apply to Meta’s Instagram or WhatsApp) leaves other services just as vulnerable. 

“Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans,” Clegg and Newstead wrote. “We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.” 

Schrems, now honorary chairman of the European privacy group noyb, essentially agreed in a statement on that group’s site(Opens in a new window), saying “Any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law.”

The centralized social network that might find itself most nervous Monday, however, is a smaller service that has been struggling to keep its existing privacy measures working as advertised–and is on the radar of European regulators. But the odds are good that Twitter’s EU privacy law experts got kicked to the curb as part of Elon Musk’s rounds of mass layoffs.