Meta was fined a record 1.2 billion euros ($1.3 billion) on Monday and ordered to stop transferring data collected from Facebook users in Europe to the United States, in a major ruling against the social media company for violating the EU’s data protection rules.
The penalty, announced by Ireland’s Data Protection Commission, is potentially one of the most consequential in the five years since the EU adopted the landmark privacy law known as the General Data Protection Regulation. Regulators said the company failed to comply with a 2020 ruling by the EU’s highest court that data sent across the Atlantic was not adequately protected from US spy agencies.
The ruling, which was published on Monday, only applies to Facebook and not to Instagram and WhatsApp, which Meta also owns. Meta said it would appeal the decision and that there would be no immediate disruption to Facebook’s service in the EU.
Several steps remain before the company has to block the data of Facebook users in Europe – information that can include photos, friend connections, instant messages and data collected for targeted advertising. The decision comes with a deadline of at least five months for Meta to comply. And the company’s appeal will set up a potentially lengthy legal process.
EU and US officials are negotiating a new data-sharing pact that would provide legal protection for Meta to continue moving information about users between the US and Europe. A preliminary agreement was announced last year.
Nevertheless, the EU decision shows how the government’s policy cancels the limitless way in which data has traditionally moved. As a result of data protection rules, national security laws and other regulations, companies are increasingly pressured to store data in the country where it is collected, rather than allowing it to move freely to data centers around the world.
The case against Meta stems from US policy that gives intelligence agencies the ability to intercept communications from abroad, including digital correspondence. In 2020, an Austrian privacy activist, Max Schrems, won a lawsuit to invalidate a US-EU pact, known as the Privacy Shield, which had allowed Facebook and other companies to move data between the two regions. The European Court of Justice said the risk of US snooping violated the fundamental rights of European users.
“Unless US surveillance laws are fixed, Meta will have to fundamentally restructure its systems,” Schrems said in a statement on Monday. The solution, he said, was likely to be a “federated social network” where most personal data would stay in the EU except for “necessary” transfers such as when a European sends a direct message to someone in the US.
On Monday, Meta said it was unfairly singled out for data-sharing practices used by thousands of companies.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, constraining the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, chief legal officer, said in a statement.
The verdict, which is a record fine under the General Data Protection Regulation, or GDPR, was expected. Last month, Susan Li, Meta’s chief financial officer, told investors that around 10 percent of ad revenue worldwide came from ads delivered to Facebook users in EU countries. By 2022, Meta had a turnover of almost 117 billion dollars.
Meta and other companies are counting on a new data agreement between the US and the EU to replace the one invalidated by European courts in 2020. Last year, President Biden and Ursula von der Leyen, the president of the European Union, announced the outline of an agreement in Brussels, but the details is still under negotiation.
Meta faces the prospect of having to delete vast amounts of data about Facebook users in the EU, said Johnny Ryan, senior fellow at the Irish Council for Civil Liberties. That would present technical difficulties given the interconnected nature of Internet companies.
“It’s hard to imagine how it could comply with this order,” said Mr. Ryan, who has pushed for stronger data protection policies.
The decision against Meta comes almost exactly on the fifth anniversary of the GDPR. Initially held up as a model privacy law, many civil society groups and privacy activists have said it has failed to live up to its promise due to a lack of enforcement.
Much of the criticism has focused on a provision that requires regulators in the country where a company has its EU headquarters to enforce the far-reaching privacy law. Ireland, home to the regional headquarters of Meta, TikTok, Twitter, Apple and Microsoft, has faced the most scrutiny.
On Monday, Irish authorities said they were overruled by a board made up of representatives from EU countries. The board insisted on the €1.2 billion fine and forced Meta to address past data collected about users, which could include deletion.
“The unprecedented fine is a strong signal to organizations that serious breaches have far-reaching consequences,” said Andrea Jelinek, chair of the European Data Protection Board, the EU body that set the fine.
Meta has been a frequent target of regulators under GDPR. In January, the company was fined €390 million for forcing users to accept personalized ads as a condition of using Facebook. In November, a further 265 million euros was fined for a data leak.