The EU has slapped Facebook’s parent company, Meta, with a €1.2 billion fine. Meta allowed EU citizens’ data to be stored on U.S. servers for years, thereby risking the chance that U.S. intelligence agencies could access that data.
After an inquiry, the Data Protection Commission (DPC), an Ireland-based privacy watchdog, announced on Monday, May 22nd that Meta therefore had violated the EU’s General Data Protection Regulation (GDPR).
The organization, which is the lead EU regulator for many of the world’s top tech firms, said that Meta’s use of a legal instrument—known as standard contractual clauses (SCCs)—to move data to the U.S. “did not address the risks to the fundamental rights and freedoms” of Facebook’s European users.
In a comment on the DPC’s report, Chair of the European Data Protection Board Andrea Jelinek said:
The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.
In addition to paying the record fine, Meta must cease transferring Europeans’ personal data to U.S. servers within five months, and move all data still stored on these to Europe. Meta plans to appeal the ruling.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Meta’s President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead said in a statement.
The origin of the EU’s scrutiny of Meta’s handling of its citizens’ data goes back to NSA whistleblower Edward Snowden. In 2013, he revealed that U.S. secret services had access to just about all data that large U.S. Internet companies such as Facebook (now Meta), Google, and Microsoft had accumulated through their users.
Max Schrems, an Austrian privacy advocate, then started a legal crusade against Facebook, having come to the realization that European data could never be safely entrusted to these companies. Taking note of European privacy laws, the reasoning went, he concluded that data should not be allowed to be transferred to U.S. servers.
In 2015, the European Court of Justice in Luxembourg agreed with Schrem’s assessment, and declared the ‘Safe Harbor’ agreement between Europe and the U.S., which regulated the transfer of data, to be invalid. Another agreement of that type, the ‘EU-US Privacy Shield’ also did not pass muster.
Europe and the U.S. are currently negotiating a new arrangement, and expect it to be clinched next July. In that case, Meta would no longer be obligated to stop the flow of data to the U.S.
