Meta $1.3B fine and what to expect next

Meta has been fined USD 1.3 billion by the European regulators for sending user information to the United States.

The USD 1.3 billion fine is significantly lower compared to what the GDPR allows for, 4% of the violator’s annual revenue, which in Meta’s case would have been USD 4.7 billion. Moreover, the decision that came from Ireland’s Data Protection Commission (DPC) orders Meta to stop sending personally identifiable data about Facebook’s European users to the United States and delete the already sent information from the last six months.

This record privacy penalty adds new pressure on the US government to complete an agreement with the block to allow companies like Meta to send information across the Atlantic.

After the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield Agreement between the US and the EU in July 2020, multinationals companies have found themselves in limbo for lack of guidance from either side, yet the flow of data has continued unrestricted. The core of the problem lies in the ability of US government agencies – read the NSA – to have unrestricted access to data belonging to European citizens once transferred to the US. Such transfers are often the case because multinational companies maintain servers and offer their services from within the territory of the United States.

Without a US-EU deal international companies, including the tech giants, could face potential privacy investigations and orders to suspend data flows to the US. The real problem then emerges when billions of dollars in advertising, artificial intelligence, human resources, and cloud services are blocked and become inaccessible.

The new EU-US Data Privacy Framework, or Privacy Shield 2.0, was announced in December of 2022 and aims at addressing the concerns raised by the CJEU in its 2020 decision. Under the new agreement, the EU would lift its restrictions for companies sending data to the US provided the US has adopted new rights for EU citizens to appeal surveillance.

In reality, the new Privacy Framework has not been officially agreed to because some EU officials claim that the US has not fully implemented their end of the deal while others push for further negotiations. Until then, companies need to determine the adequacy of data protection standards in the receiving country and use Standard Contractual Clauses (SCCs) for international data transfers issued by the European Commission.