Meta has been served a record fine of $1.3 billion over mishandling of user data and privacy violations. The fine, imposed by Ireland’s Data Protection Commission (DPC), sets a new record for penalties under the GDPR and has been hailed as a landmark moment for privacy norms. Along with the hefty fine, Meta has also been prohibited from transferring user data from the EU to the US, a practice for which it has been heavily criticised.
According to the regulator, Meta engaged in the illegal transfer of data to the US, where it was sold to both intelligence agencies and advertisers. This is despite a 2020 court ruling, according to which any data leaving the EU should have the same level of protection as it does in the EU. The previous record for the largest fine was $746 million, imposed on Amazon in 2021.
Facebook in the crosshairs
Importantly, the ruling and the ban on data transfers only apply to Facebook at the moment, leaving Meta’s other popular social media products – Instagram and Whatsapp – in the clear, at least for now. There will be no immediate disruption to Facebook’s services, as they have a five-month grace period to comply, but Meta has surely realised the need to transfer some of their servers to Europe to stay clear of any further fines.
Both the fine, the added cost of compliance, and the negative hit to reputation bodes ill for a company already struggling financially due to lower user engagement. In a statement on its company blog, Meta said that it would appeal the ruling, calling the fine unjustified, unnecessary, and a dangerous precedent for other firms. Its spokesperson also said that the company would be seeking a stay on the data transfer suspension order.
The court battle began more than ten years ago. Max Schrems, a privacy activist and campaigner from Austria, first served a legal challenge in 2013 after the Edward Snowden leaks revealed the risk of spying by American intelligence agencies. While the battle has been fought against all privacy-violating tech companies, Facebook is the prime target, both due to its especially outrageous violations, such as the Cambridge Analytics scandal, as well as the scale of its data theft.
A record fine to celebrate the GDPR’s fifth anniversary
The court ruling also coincided with the fifth anniversary of the promulgation of the GDPR (the General Data Protection Regulation). The GDPR is a set of rules set by the European Union that regulates data protection, user privacy, and the transfer of personal data outside the EU. Widely considered to be a landmark legislation in the history of internet regulation, the GDPR has found many imitators and detractors outside the EU.
Coming into force in May 2018, the GDPR aims to increase individual control over their personal data and limit corporations from mining and selling said data. Academic experts who participated in the formulation of the GDPR wrote that the law “is the most consequential regulatory development in information policy in a generation.” The GDPR will bring personal data into a more complex and hence stricter regulatory regime.
The GDPR has been very influential worldwide. Many activists, legislators, and businessmen have praised it, saying it simplifies data management, protects user privacy, and limits Big Tech, and jurisdictions like Turkey, Mauritius, South Korea, Japan, Brazil, California, the United Kingdom, South Africa, Argentina, Chile and Kenya have adopted it in the same or modified form.
However, the law also has many critics who contend that the GDPR increases the cost of compliance for businesses, and the cost of enforcement for governments, coming out to more than $300 billion. It also discourages foreign companies from entering Europe, suppresses smaller firms in favour of megacorporations, and makes Europe less competitive, according to these viewpoints.
While this fine will in no way be enough to stop rampant data theft and privacy violations by Big Tech companies, it is still a step in the right direction. As the infamous Cambridge Analytica scandal showed, lax privacy norms can have serious political and economic crises, compounded by a massive rise in organised internet fraud and international cyber warfare in recent years.
The EU has certainly taken the lead in corporate regulation and consumer protection, but there is an urgent need for other jurisdictions, notably the USA and developing countries, to step up their game and protect their citizen’s data before it is used for nefarious purposes. Facebook, though one of the biggest, is certainly not the sole violator, and a concerted international prosecution against the largest Big Tech companies seems like the only effective way to dissuade data theft.