Here is a status update Facebook did not want to post. The EU has fined its parent company Meta €1.2bn for breaching data protection laws. The bloc ruled Meta’s legal basis for transferring data harvested in the EU to the US does not hold water. It must end the practice pronto.
Meta is unlikely to attract much sympathy following the ruling. Data protection is a vital issue. It is one that Facebook users — bombarded by targeted ads — have grown increasingly concerned about. Governments the world over fear foreign institutions’ use of their citizens’ data.
While the Meta fine is a record for the EU, it is only about a quarter of the maximum possible levy, according to London law firm Fladgate. It is also small beer in the context of Meta’s $630bn market capitalisation.
That said, Meta does seem to be the victim of inconsistencies in cross-border policy. European GDPR legislation is stricter than comparable US rules. In particular, the US makes it easier for law enforcement agencies to gain access to data, and harder for consumers to seek redress. It is a long-standing issue. US companies have struggled to find a legal way to transfer their European clients’ data back home.
Companies have so far relied on standardised contractual clauses — agreements between their European and US entities — to protect data. The EU’s Meta ruling makes it clear that these SCCs, by themselves, will not stick.
As Meta prepares its appeal, other companies will examine how they might be affected. SCCs are used by thousands of companies. Other Big Tech giants risk also getting caught in regulators’ crosshairs. They will hope that the EU and US quickly implement a deal to align data protection laws. One has already been agreed, in broad terms, and should come into force in the next few months.
The fact the EU’s data protection authority chose to crack the whip in the first place is a useful datapoint for large tech companies. It shows that the continent’s regulators are still giving them a resounding thumbs-down.