Ireland’s Data Protection Commission (DPC) has fined Meta a record-breaking $1.3 billion for transferring the personal data of Facebook’s users in the European Union to servers in the United States.
Regulators say Meta’s actions violate EU data-protection rules as brands struggle to navigate the future of data-privacy standards.
The DPC’s ruling stems from laws created in response to what former American intelligence contractor and consultant and whistleblower Edward Snowden revealed about data transfers in 2013, including 2018’s landmark data-privacy law called the General Data Protection Regulation (GDPR), which made Europe the world’s top technology watchdog as it allowed people to request their online data and restricted how businesses obtained and handled the data.
Meta’s data transfers to the U.S. “did not address the risks to the fundamental rights and freedoms of Facebook users in the EU,” stated the DPC.
Regulators added that Meta's data transfers also failed to comply with the EU’s 2020 decision to strike down the Privacy Shield law, which originally allowed businesses in the EU and the US to move data seamlessly between both regions.
Meta is planning to appeal the decision -- which only applies to Facebook, not Instagram or WhatsApp, the company’s other leading social media platforms.
Per the ruling, Meta also has a five-month grace period before it must stop future transfers and a six-month deadline to discontinue holding current data in the U.S.
In addition, Meta may avoid penalties if the EU and U.S. finalize a new data-sharing pact, announced last year, that would make data transfers between regions legal.
The transfer of data to the U.S. is essential for Meta’s ad-targeting strategy. In 2022, the company threatened to shut down Facebook and Instagram in the EU if it wasn’t allowed to send data back to the U.S., saying that if a new data transfer framework was not adopted, it “would materially and adversely affect our business, financial condition, and results of operations.”
Overall, while efforts continue to pass federal privacy legislation in the U.S. -- such as the American Data Privacy and Protection Act, which aims to create a national framework for data privacy -- the GDPR remains the standard for brand operations
“The window of opportunity for leniency in privacy compliance is closing rapidly, and both global and US brands must ensure that their standards are up to par to avoid facing legal consequences,” said Hugo Loriot, partner at Global Martech Consultancy fifty-five, in an email to MediaPost. “From Meta to Sephora, we are increasingly seeing large retailers and businesses being held accountable by federal courts for flouting data privacy compliance regulations.”
Loriot said that these legal battles have served as a wake-up call for brands, emphasizing the significance of privacy protection. “We can expect to see more of these cases in the near-term as the ‘grace period’ for privacy compliance closes.”
“This is a concerning situation for businesses across the UK,” added Chris Combemale, CEO of the UK’s Data and Marketing Association (DMA). “Particularly those who have customers based in the EU and who use cloud tech services hosted in the US.”
Combemale told MediaPost that the DMA is reviewing the case to determine how it will influence UK companies and believes that the DPC’s fine “raises important questions about differing privacy standards between countries outside of the EU with commercial interests inside of it.”