Meta on Monday was fined a record 1.2 billion euros ($1.3 billion) and ordered to stop transferring data collected from Facebook users in Europe to america, in a serious ruling against the social media company for violating European Union data protection rules.
The penalty, announced by Ireland’s Data Protection Commission, is potentially some of the consequential within the five years for the reason that European Union enacted the landmark data privacy law often known as the General Data Protection Regulation. Regulators said the corporate didn’t comply with a 2020 decision by the E.U.’s highest court that data shipped across the Atlantic was not sufficiently shielded from American spy agencies.
The ruling announced on Monday applies only to Facebook and never Instagram and WhatsApp, which Meta also owns. Meta said it could appeal the choice and that there can be no immediate disruption to Facebook’s service within the Europe Union.
Several steps remain before the corporate must cordon off the information of Facebook users in Europe — information that would include photos, friend connections, direct messages and data collected for targeting promoting. The ruling comes with a grace period of a minimum of five months for Meta to comply. And the corporate’s appeal will arrange a potentially lengthy legal process.
European Union and American officials are negotiating a latest data-sharing pact that may provide latest legal protections for Meta to proceed moving details about users between america and Europe. A preliminary deal was announced last 12 months.
Yet the E.U. decision shows how government policies are upending the borderless way that data has traditionally moved. Consequently of data-protection rules, national security laws and other regulations, firms are increasingly being pushed to store data throughout the country where it’s collected, somewhat than allowing it to maneuver freely to data centers all over the world.
The case against Meta stems from U.S. policies that give intelligence agencies the power to intercept communications from abroad, including digital correspondence. In 2020, an Austrian privacy activist, Max Schrems, won a lawsuit to invalidate a U.S.-E.U. pact, often known as Privacy Shield, that had allowed Facebook and other firms to maneuver data between the 2 regions. The European Court of Justice said the danger of U.S. snooping violated the basic rights of European users.
“Unless U.S. surveillance laws get fixed, Meta may have to fundamentally restructure its systems,” Mr. Schrems said in a press release on Monday. The answer, he said, was likely a ”federated social network” through which most personal data would stay within the E.U. apart from “mandatory” transfers like when a European sends a direct message to any individual in america.
On Monday, Meta said it was being unfairly singled out for data-sharing practices utilized by hundreds of firms.
“Without the power to transfer data across borders, the web risks being carved up into national and regional silos, restricting the worldwide economy and leaving residents in numerous countries unable to access lots of the shared services we have now come to depend on,” Nick Clegg, Meta’s president of world affairs, and Jennifer Newstead, the chief legal officer, said in a press release.
The ruling, which is a record wonderful under the G.D.P.R., had been expected. Last month, Susan Li, Meta’s chief financial officer, told investors that about 10 percent of its worldwide ad revenue got here from ads delivered to Facebook users in E.U. countries. In 2022, Meta had revenue of nearly $117 billion.
Meta and other firms are counting on a latest data agreement between america and the European Union to interchange the one invalidated by European courts in 2020. Last 12 months, President Biden and Ursula von der Leyen, the president of the European Union, announced the outlines of a deal in Brussels, but the main points are still being negotiated.
Meta faces the prospect of getting to delete vast amounts of information about Facebook users within the European Union, said Johnny Ryan, senior fellow on the Irish Council for Civil Liberties. That may present technical difficulties given the interconnected nature of web firms.
“It is tough to assume how it could possibly comply with this order,” said Mr. Ryan, who has pushed for stronger data-protection policies.
The choice against Meta comes almost exactly on the five-year anniversary of G.D.P.R. Initially held up as a model data privacy law, many civil society groups and privacy activists have said it has not fulfilled its promise due to lack of enforcement.
Much of the criticism has focused on a provision that requires regulators within the country where an organization has its European Union headquarters to implement the far-reaching privacy law. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, has faced essentially the most scrutiny.
On Monday, Irish authorities said they were overruled by a board made up of representatives from E.U. countries. The board insisted on the €1.2 billion wonderful and forcing Meta to handle past data collected about users, which could include deletion.
“The unprecedented wonderful is a robust signal to organizations that serious infringements have far-reaching consequences,” said Andrea Jelinek, the chairwoman of the European Data Protection Board, the E.U. body that set the wonderful.
Meta has been a frequent goal of regulators under the G.D.P.R. In January, the corporate was fined €390 million for forcing users to just accept personalized ads as a condition of using Facebook. In November, it was fined one other €265 million for a knowledge leak.
