Meta just got hit with a record-setting tech penalty. Now it’s Biden’s move.
A U.S.-EU split is turning costly.
With an unprecedented $1.3 billion fine Monday, Meta became the first American tech giant ordered to shut off its transatlantic flow of user data under European privacy rules — putting new pressure on the Biden administration to solve a major disconnect between American and European data regulations.
The Irish Data Protection Commission found that Meta violated European data privacy regulations by transferring EU users’ data to the U.S. without a proper framework in place to protect EU citizens from American government surveillance. The agency fined Meta $1.3 billion — a record under Europe’s data privacy regulations — and ordered the company to stop transferring its data to U.S. servers.
The fine highlights the need for the Biden administration to finalize negotiations with the EU to get a transatlantic data deal in place. Without that, Meta could be the first of many U.S.-based companies to face similar penalties for similar conduct. Companies could also look to make costly infrastructure investments to keep that data in the EU, but that could be cost-prohibitive for all but the largest.
The gap affects not only major tech platforms like Meta, but virtually any American company, large or small, conducting transatlantic business with customers in Europe.
Since 2018, European law has limited data collection on EU citizens — and required that any company with that data must offer them a way to challenge companies if they believe their data was improperly collected, used or shared.
In 2020, the Court of Justice of the European Union ruled that surveillance programs operated by the United State’s intelligence agencies violated EU privacy rules, and didn’t provide a method for EU citizens to challenge the collection of their data — a decision that essentially made it illegal to transfer data between the regions.
The Biden administration announced an executive order last October to establish a data privacy framework between the U.S. and the EU that would solve the problem, allowing American companies to transfer data across the Atlantic while allowing EU citizens to challenge the collection of their data.
The order, which still needs approval from the EU Commission, hinges on the establishment of a new Data Protection Review Court that would allow European citizens to file claims if they believe their data was not collected in a necessary and proportionate manner.
Without European approval of that order, however, American companies risk facing penalties if they transfer data from the EU to the U.S., which is what happened to Meta.
The resulting fine surpassed the $887 million penalty imposed on Amazon in 2021 for violating privacy standards involving targeted advertisements.
Meta said Biden’s executive order, once approved, should resolve this issue. That order is expected to be approved by the end of this summer. The Meta isn’t required to stop transferring data between the two regions until Oct. 12, according to Monday's order, but it would still need to pay the fine. The company also has until November 12 to delete or move back all data belonging to EU citizens stored in the U.S. since 2020.
This could also be avoided if the EU-U.S. data privacy framework is approved before the deadline.
The order highlights the tech industry’s challenge in navigating Europe’s new digital rules, notably the General Data Protection Regulation, which celebrates its five-anniversary this year.
While GDPR is often criticized as toothless, the ruling against Meta serves as a warning as many nations’ regulators take a decidedly different approach to consumer protection than the U.S. government.
In a statement published on Monday by Meta’s president of global affairs, Nick Clegg, and chief legal officer Jennifer Newstead, the company pointed to ongoing negotiations over the EU-U.S. data privacy framework and Biden’s executive order from last October. The two said the company will appeal the decision, calling the fine "unnecessary" and "unjustified."
“We are pleased that the [Irish Data Protection Commission] also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved,” Clegg and Newstead said. “This will mean that if the [Data Privacy Framework] comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users.”
Meta has warned in the past that it could drop services like Facebook and Instagram in Europe if it can’t transfer data between the EU and the U.S.
The Biden administration unveiled its proposal in an executive order in October, but is still waiting for the European Commission to approve it. Negotiating a deal has taken longer than expected because of delays in setting up key elements of the order on the U.S. side, as well as strong skepticism from the EU. Negotiations on the U.S. side involve leadership from the Commerce Department, Justice Department and the Office of the Director of National Intelligence.
“The EU, and the U.S., both negotiating teams, are seized with the importance of this Meta case and what it means. It doesn’t provide a deadline but it certainly sharpens a focus to get this done,” Joe Jones, director of research and insights for the International Association of Privacy Professionals, said. “You can bet that Meta and other companies are knocking on this door to get this done.”
While key components of the Data Protection Review Court are in place, like a budget and a physical location for the building, the most important aspect, the judges and special advocates for EU citizens, are still awaiting security clearances, said John Miller, the general counsel of the Information Technology Industry Council, who has spoken with government officials involved in the process.
“The biggest hold-up is the clearances, which take time. As I understand it, the physical locations, the physical infrastructure, office equipment, budget, staff, all exist," he said.
The Department of Justice, which is responsible for establishing the court, did not respond to a request for comment.
EU officials can’t properly review the framework until this court is running, but it’s not the only reason for the delays. Both the EU Parliament and the European Data Protection Board are skeptical of the data privacy framework proposed by the United States, pointing to issues with U.S. surveillance laws, as well as how the court will handle cases.
The EU Parliament’s recommendation noted that U.S. intelligence agencies are prohibited from bulk data collection of American citizens, but doesn’t extend that same protection to EU citizens. There are also concerns the Data Protection Review Court could reject a vast amount of European citizens’ cases without valid reason or any methods of appeal.
“Whereas a comprehensive assessment of how these principles are implemented in the U.S. legal order might not be possible due to a lack of transparency in Data Protection Review Court (DPRC) procedures,” the EU Parliament said in its recommendation against approving the order.
The recommendation also cited a lack of any U.S. data privacy regulation, which Congress failed to pass last year. The American Data Privacy and Protection Act is expected to be reintroduced this year, according to the House Energy and Commerce committee chair Cathy McMorris Rodgers (R-Wash.).
Rodgers and other committee leaders did not respond to a request for comment.
Companies, including Meta, have braced themselves for this decision for months. More than 80 companies have noted in public investor filings that they’re concerned about their international data transfers without a legal framework in place, the IAPP’s Jones said.
Those companies include Microsoft, Google, Salesforce and Zoom, and all note that cutting off international data transfers poses a significant issue for them. Suspending data transfers between the two regions could mean being unable to operate in the EU or facing expensive costs to use servers based in the EU.
While some major companies will be able to afford EU-based data centers to avoid transfers to the U.S., others will not and could either run the risk of violating the GDPR or cut off data from EU users.
“Some companies will say it’s too risky to transfer data out of the EU,” Jones said. “Others will carry on and try to remain under the radar until there’s an adequacy decision.”