Meta in a Mega Data Mess

Meta, the company we all knew as Facebook some years ago, is in a mega mess of sorts, having been hit with a formal suspension order from the European Union asking the company to stop exporting data from the EU over to the US for processing. They’ve also been slapped with a huge $1.3 billion dollar fine in the matter. 

The order was issued by the European Data Protection Board (EDPB) which imposed the fine of 1.2 billion Euros, which is the largest ever fine issued under the region’s General Data Protection Regulation (GDPR). This one surpassed the earlier $887 million that it had imposed on Amazon for misusing customer data for ad targeting back in 2021.

A pan-EU regulation that Meta puts as a battle among countries

Meta is facing the sanction for breaching conditions that have been set out in the pan-EU regulation that governs transfer of personal data to third countries without first ensuring adequate protections for the owners of such data. Readers would recall that European judges had upbraided US surveillance practices that it found to be in conflict with US privacy rights. 

In a statement issued by EDPB’s chair Andrea Jelinek, it said that the Board found Meta IE (Ireland) infringing the norms around transfers that are systematic, repetitive and continuous. Given that Facebook has millions of users in Europe, the volume of personal data transferred is massive, the statement said. 

The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences, the EPDB said. The Irish Data Protection Commission (DPC), which is responsible for implementing the Board’s binding decision came out with its own decision on the matter which can be read here. 

Meta is definitely going in appeal, says its bosses

In response to the notification, Meta put out a blog post confirming that it would go on appeal. The blog post described the fine as “unjustified and unnecessary” and sought to blame the issue on the conflict between the EU and US laws instead of its own practices on privacy matters. 

Nick Clegg, president, global affairs and Jennifer Newstead, chief legal officer, wrote in the blog that “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years.” 

Meta brings the Chinese angle into the puzzle

At a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet. No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China, the blog post said. 

It is worth mentioning here that while the latest fine and suspension order is limited to Facebook data, Meta is not the only company affected by the legal uncertainty attached to the EU-US data transfers. In its conclusion, the DPC of Ireland says, “This decision will bind Meta Ireland only. 

“It is clear, however that the analysis in this decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA” — so pressure is likely to be amped up on lawmakers on both sides of the Atlantic to get the deal over the line, it goes on to say. 

This is a story that hasn’t moved to its conclusion. If anything, this appears to be a start of a long battle about how global companies move their data around, especially since countries like India too are coming up with similar norms around data privacy issues and transfer.