Meta slapped with €1.2B fine by EU data regulators over data transfers

Meta, the parent company of social media company Facebook, has been slapped with a fine of $1.3 billion by European Union (EU) data regulators and ordered to stop transferring the Facebook data of EU citizens to the United States (US).

Ireland's Data Protection Commission has ordered Meta to halt the transfers of Facebook user data from the EU to the US. Furthermore, the European Data Protection Board has ruled that the previously transferred data must be brought back to EU data centres.

This development follows concerns raised by EU courts regarding privacy violations and the exposure of EU citizens to potential risks stemming from US mass surveillance programmes, which were initially brought to light by whistleblower Edward Snowden back in 2013.

Max Schrems, an Austrian privacy activist, had challenged Facebook’s data transfers to the US after revelations by National Security Agency whistleblower Snowden about US surveillance programmes. Schrems argued that Facebook couldn’t guarantee the privacy rights of users from the EU.

Initially, Ireland’s privacy watchdog rejected his complaint, citing the EU’s data-sharing agreement with the US, called Safe Harbour, which supposedly made the transfers legal. However, Schrems persisted and, in 2015, the EU’s highest court, the Court of Justice, invalidated the agreement as it didn’t protect the privacy rights of EU users.

"The fine could have been much higher, given that the maximum fine is more than 4 billion (USD), and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems," said Schrems.

As a potential long-term solution, Scherms has suggested a "federated" social network, allowing most personal data to remain in the EU, while permitting necessary transfers for specific interactions between users in EU and the US, such as instant messages.

The ruling may open the floodgates for further litigation, with users potentially seeking emotional damages for infringements on their data protection rights, he observed.

Currently, Dutch consumer rights organisation Consumentenbond is rallying Dutch Facebook users to file claims over EU-US data transfers.

"Furthermore, the EU's Collective Redress Directive must also be implemented this summer, which will for the first time allow collective actions by European user for GDPR violations," said Schrems.

The conflict between EU privacy laws and US surveillance laws extends beyond Meta and affects US cloud providers such as Microsoft, Google, and Amazon.