In Victory for Online Privacy, Facebook Fined $1.3 Billion for Sending EU User Data to US
"Unless U.S. surveillance laws get fixed," said one privacy campaigner, "Meta will have to fundamentally restructure its systems."
Facebook and its parent company, Meta, will soon be forced to "fundamentally" change its social media platform's structure, said one advocate following a ruling announced Monday by a data privacy panel in Ireland.
The Data Protection Commission in Ireland, where Facebook has its European Union headquarters, announced that the European Data Protection Board (EDPB) found the tech company liable for a $1.3 billion fine for transferring and storing data from E.U. users to the United States. The company was given six months to return all personal data to data centers in the E.U. and to stop transferring the information, including photos, communications, and information gathered for targeted ads.
The ruling comes three years after the European Court of Justice (ECJ) determined that data sent from the E.U. was not sufficiently protected from government spying in the U.S. The EDPB on Monday said Facebook has refused to comply with that ruling and the General Data Protection Regulation (GDPR), a set of privacy laws passed five years ago.
By transferring and storing the data of millions of E.U. users, Facebook committed "systematic, repetitive, and continuous" infringements of European users' rights, the EDPB found.
"Facebook has millions of users in Europe, so the volume of personal data transferred is massive," said Andrea Jelinek, chair of the EDPB. "The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."
A number of tech observers said the monetary fine is relatively inconsequential to the $562 billion company, but pointed to the order that Facebook delete "a decade of data" that it's relied on for targeted advertising.
\u201cBAM. There it is, PAGE 253 of the order. Facebook has to delete all of its illegally collected EU data from storage. They\u2019re also being fined $1.3 BILLION but as I\u2019ve said that\u2019s the insignificant hit to its surveillance capitalism business model.\u201d— Jason Kint (@Jason Kint) 1684752624
The "imposition of a major fine reflects the company's continuous failure to secure the data of its users and comply with regulators," said the Real Facebook Oversight Board, a coalition of academics, journalists, and civil rights campaigners. "Meta is one of a few large companies that rely on contractual clauses to allow unfettered access to users' data. Fines may not force Meta to change its behavior, but they are a critical reminder that the company has been found, yet again, to have broken the law."
Susan Li, chief financial officer of Meta, told investors last month that the company makes 10% of its worldwide ad revenue from ads in European countries, suggesting it relies heavily on the practices the EDPB has ruled it must end.
Max Schrems, an Austrian privacy activist who won the case that went to the ECJ in 2020 regarding E.U.-U.S. data sharing, noted that "the fine could have been much higher, given that the maximum fine is more than $4 billion and Meta has knowingly broken the law to make a profit for ten years."
However, "unless U.S. surveillance laws get fixed," said Schrems, "Meta will have to fundamentally restructure its systems."
The U.S. and E.U. are currently working out a data sharing agreement to replace the "Privacy Shield" pact that was struck down in 2020.
To enable Facebook and other companies to continue moving information from the E.U. to the U.S., said Schrems, "the simplest fix would be reasonable limitations in U.S. surveillance law" to assure European officials that users will not be put at risk by American spy agencies.
"There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance," said Schrems. "It would be time to grant these basic protections to E.U. customers of U.S. cloud providers. Any other big U.S. cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under E.U. law."
Congress is set to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) this year, and the law is a frequent target of privacy advocates who object to the mass collection of geolocation data and other rights abuses.
Without far-reaching changes to surveillance in the U.S., said Schrems, "the long-term solution seems to be some form of 'federated social network' where most personal data would stay in the E.U., while only 'necessary' transfers would continue—for example when a European sends a direct message to a U.S. friend."
Facebook said Monday that it plans to appeal the decision, but Schrems said the company can likely only "delay the payment of the fine for a bit."
"There is no real chance," he said, "to have this decision materially overturned."
