Meta Fined $1.3 Billion Over Data Transfers to U.S.

Posted on 05/22/23 | News Source: WSJ

Facebook owner Meta Platforms was fined $1.3 billion by European Union regulators for sending user information to the U.S., a record privacy penalty for the bloc.

The ruling raises pressure on the U.S. government to complete a deal that would allow Meta and thousands of multinational companies to keep sending such information stateside. The size of the fine also underscores the increasing risks of running afoul of the European Union’s privacy rules as its enforcement tightens.  

Tech companies have been especially vulnerable to regulatory scrutiny over European privacy concerns. That has only increased since European courts overturned in 2020 a previous, data-sharing deal between the U.S. and EU. 

Most large international companies—not just tech firms—rely on a relatively free flow of data across the Atlantic, and the steep fine punctuates the risks companies of all stripes are taking without a new deal in place.

Meta’s top privacy regulator in the EU said in its decision Monday that Facebook has for years illegally stored data about European users on its servers in the U.S., where it contends the information could be accessed by American spy agencies without sufficient means for users to appeal.

The 1.2-billion-euro fine surpasses the previous record of €746 million, or $806 million, levied under the General Data Protection Regulation, against Amazon in Luxembourg in 2021 for privacy violations related to its advertising business. Amazon has appealed that decision in Luxembourg courts.

The steep fine represents a step change from EU privacy regulators, who are increasing their enforcement of the GDPR, the bloc’s privacy law, some five years after it came into effect. A board of EU regulators has taken more control over cross-border decisions—and has insisted on bigger fines, people familiar with the deliberations say. 

Ahead of Monday’s decision, the EU board insisted that Ireland issue a fine of between 20% and 100% of the maximum allowable penalty, the decision said. The GDPR allows for a fine of up to 4% of worldwide annual revenue, or nearly $4.7 billion in Meta’s case. 

“Facebook has millions of users in Europe, so the volume of personal data transferred is massive,” said Andrea Jelinek, chair of the board of EU privacy regulators. “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”