The size of Meta’s new record-breaking privacy fine in Europe is making observers wide-eyed on both sides of the Atlantic, but some experts say the latest ruling’s impact on the giant’s data business is even more important to watch.
On Monday, Ireland’s Data Protection Commission announced a $1.3 billion fine against Meta for breaching privacy protection laws related to data transfers between Europe and the U.S. However, the decision also requires Meta to pause all data transfers between the EU and U.S. within five months and make changes within six months or be forced to delete a decade’s worth of EU user data — both of which might be more monumental to Meta than even the record-breaking fine itself.
The new ruling doesn’t focus directly on Meta’s massive ads business, but applies to various types of European user data including contacts, photos, messages and various activities on Facebook and integrated third-party websites or apps.
Although many of Facebook’s privacy woes are tied to Cambridge Analytica, the new EU decision dates back to a decade-old legal battle related to Facebook data accessible by the National Security Agency. Some see the DPC’s ruling as a sign the EU is losing patience when it comes to how to enforce data privacy laws such as the General Data Protection Regulations, which went into effect five years ago this week. (The investigation was conducted by Ireland’s DPC and the fine was set by the European Data Protection Board.)
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” EDPB Chair Andrea Jelinek said in a statement. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
There are also still questions as to what impact the ruling might have either directly or indirectly, especially with 10% of Meta’s global ad revenue coming from Europe — not to mention all the revenue that other companies both large and small make through Meta’s platform.
Joe Jones, director of research and insights at the International Association of Privacy Professionals, said the DPC’s decision also puts other revenue streams at risk without a new data flows agreement going into effect. He also noted that dozens of publicly traded companies companies have warned of the impact that could come from data transfer rules.
“There are thousands of companies that rely on Meta’s advertising,” Jones said. “Thousands more in the ad tech sector beyond Meta and its ecosystem that will be feeling the chills of this enforcement…Meta is arguably the canary in the coal mine…The consequential impact of turning the taps off transatlantic data transfers and deleting data already in the U.S. will be felt more widely.”
Digital advertising companies are paying close attention to changes in data transfer rules between the U.S. and Europe. In 2020, an EU court struck down the previous framework, but so far countries it applied to have not yet agreed on an official replacement. The subject and its potential impact have come up in various quarterly and annual reports filed by Snap, Alphabet, Pinterest and Duolingo as well as ad-tech companies such as The Trade Desk, Pubmatic and Yext.
Meta claims the decision won’t impact its advertising business. However, the company’s blog post about the ruling pointed out the broad impact the ruling could have. It also argued that a lack of cross-border data transfers could risk the internet “being carved up into national and regional silos restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.” (Meta also said it plans to appeal the decision while also seeking a stay to pause the compliance deadline.)
Monday’s fine — larger higher than the more than $80 million charge the EU levied against Amazon in 2021 — is “almost immaterial” compared to the broader impact, according to Johnny Ryan, senior fellow at the Irish Council For Civil Liberties. He also pointed out another thing: When the Federal Trade Commission issued a $5 billion fine against Facebook in 2019 as part of the privacy settlement related to the Cambridge Analytica scandal, the company’s stock rose the very next day.
“Even a billion Euro parking ticket is of no consequence to a company that earns many more billions by parking illegally,” Ryan said. “What really hurts Meta is the order to delete data…Meta has such poor internal accounting of what data it has put where that this will be very hard, perhaps nearly impossible.”
Although the latest ruling is focused on the flagship Facebook app, some think the decision should also apply other Meta-owned platforms such as Instagram and WhatsApp. Meta’s efforts to collect and use data across platforms will create an ongoing challenge in securing and deleting data in compliance with EU laws, notes to Zamaan Qureshi, a policy advisor and social media coordinator for the Real Facebook Oversight Board. (The watchdog group of independent experts includes early Facebook investor-turned-critic Roger McNamee.)
“From an outside perspective, that just shows me Facebook wants to increase its data collection and centralize it into one place,” Qureshi said. “When we’re talking about its products, I wonder how much each of its products are separated from each other now and how they can do that technically.”
The ruling comes as Meta also faces additional pressures in the U.S. related to its data practices for younger users. Earlier this month, the Federal Trade Commission announced a new proposal to ban Meta’s platforms from monetizing users under the age of 18 and also prohibit the company from releasing new products and services before they’re reviewed by a third-party auditor. Meanwhile, Utah and Arkansas were among the states to pass new child safety laws for social media usage, with other states also considering their own legislation.
The Interactive Advertising Bureau cited the DPC’s ruling as a reason for lawmakers to move forward with a new Transatlantic agreement. In a statement on Monday afternoon, the IAB said EU courts have left U.S. businesses “relying on standard contractual clauses” and that the new ruling has “practically eliminated this measure of legal protection too, injecting further uncertainty into a vital economic relationship.”
Others say the decision has less to do with just Facebook and more to do with U.S. law, Georgetown Law professor Anupam Chander pointed out in a Twitter thread about the ruling.
“This decision is about the NSA and U.S. law, not about Facebook’s practice,” Chander wrote in a tweet. “In the decision, Snowden is mentioned 10 times; the NSA, 10 times; PRISM, 32 times; FISA 58 times…Again, this is not a case about Meta — any organization, large or small, that transfers data outside the EU to almost any country faces the risk that an EU data protection authority will conclude that national security law of that third country is inadequately protective.”