The European Union on Monday fined Meta a record $1.3 billion for transferring European users’ data to the US.
The penalty marks the largest since the EU implemented harsher data privacy laws in 2018 — and the end of a decade-long case that was filed by Austrian lawyer and privacy activist Max Schrems, according to AP News.
In 2013, Schrems filed a complaint about Facebook’s handling of his data after then-National Security Agency contractor Edward Snowden leaked classified documents revealing the mass surveillance of American citizens by their own intelligence apparatus.
The leaked information included the revelation that Facebook gave US agencies access to Europeans’ personal data.
While the US has no comprehensive federal law to police data privacy, the EU has the Digital Services Act, which forces big tech companies to protect European users from hate speech, disinformation and other harmful online content, according to AP.
The EU and US also followed the Privacy Shield framework, which allowed companies on both sides of the Atlantic to transfer personal data while following protection requirements. The Privacy Shield was implemented in 2016, but was later struck down by the Court of Justice of the European Union in 2020, citing concerns that it could not ensure data security for Europeans once their information was sent to the US.
Monday’s decision by the EU’s top court to fine Meta is the largest since Amazon was fined $800 million in 2021 for data protection violations, AP reported. It also confirmed that another tool governing data transfers — stock legal contracts — is invalid.
Meta was also ordered to return all personal data to its EU data centers.
Schrems said in a statement that “the fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, chief legal officer at Meta, said in a blog post on Monday that “this decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
Meta plans to “appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.”
The blog post also said that the “the ability for data to be transferred across borders is fundamental to how the global open internet works.” By stopping “the free flow of data,” the internet will “restrict the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
There was no immediate disruption to Facebook in Europe on Monday. The decision only applied to Facebook, not Meta’s other platforms.
Ireland’s Data Protection Commission handed down the fine because the Silicon Valley-based tech giant’s European headquarters are in Dublin, according to AP.
Meta now has six months to brings its data operations into compliance “by ceasing the unlawful processing, including storage, in the US” of European users’ personal data that was transferred stateside in violation of the EU’s data privacy laws.