What Meta’s €1.2bn fine over EU-US data transfers means for marketers

The fine was levied as a result of Facebook’s transfer of user data from the EU to servers in the US. Meta, which owns Facebook, was informed in 2020 that its mechanism for transfer was to be banned as a result of fears that US government agencies could access the data. That constitutes a breach of rules governing data transfers to countries outside the bloc – referred to as ‘third countries’ – exacerbated by ongoing privacy concerns related to the Facebook platform.

Ireland’s Data Protection commissioner Helen Dixon led the development of the ban on behalf of the European Data Protection Board [EDPB], despite Facebook stating that such a move might make it impossible for Facebook to continue operating in the EU. However, it is essential to note that the current ban only impacts Facebook, while Meta’s other platforms Instagram and WhatsApp are unaffected.

The EDPB’s chair, Andrea Jelinek, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine strongly signals organizations that serious infringements have far-reaching consequences.”

Meta has stated its intention to appeal the decision. Its president of global affairs Nick Clegg and chief legal officer Jennifer Newstead issued a statement, which in part reads:

“Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook while keeping their data safe and secure. There is no immediate disruption to Facebook because the decision includes implementation periods that run until later this year. We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.”

It also points out what it sees as hypocrisy in the ruling, stating that while the US has “done more” to abide by the EU’s GDPR rules than any other country, data transfers continue from the EU to countries including China. It has previously stated that roughly a 10th of its annual ad revenue is at risk from disruption to the flow of data from the EU to the US.

Future concerns

Chris Combemale, CEO of the Data & Marketing Association (DMA UK) said: "This is a concerning situation for businesses across the UK, particularly those with customers based in the EU and who use cloud tech services hosted in the US.

“While this ruling doesn’t affect international data transfers between the UK and US or UK and EU, it raises important questions about differing privacy standards between countries outside of the EU with commercial interests inside of it. The DMA is reviewing this case to determine how it will affect UK companies and will soon provide guidance to help explain its impact.”

Despite the huge figure, the €1.2bn fine is seen as unlikely to deter Meta given that it is a small proportion of its overall advertising revenue.

Am I missing something obvious here, or is Meta not complaining that the Irish DPC decision would require it to spend billions on building infrastructure to process user data closer to the users... something it has lobbied Washington extensively to do for TikTok in the US?

— Chris Stokel-Walker ~ @stokel@infosec.exchange (@stokel) May 22, 2023

Some marketers also believe that the scale of the fine will act as a deterrent to other companies. Caitlin Fennessy, chief knowledge officer and vice-president at the International Association of Privacy Professionals, a Washington, DC-based interest group, said: “The size of this record-breaking fine is matched by the significance of the signal it sends, that time is up. If a diplomatic fix doesn’t come soon, the impact across companies will be far greater than the fine itself. All eyes will now turn to the timetables outlined and how soon the adequacy determination for the EU-US Data Privacy Framework can be finalized. In the interim, today’s decision signals that companies have a whole lot of risk on the table.

“This could lead EU businesses to demand data localization from U.S. business partners or to switch to domestic alternatives. Such shifts could outlast the adequacy process itself.”

The company has been given until October to comply with the ruling – and there is a strong possibility that a new deal relating to data transfers currently in the works between the EU and the US will be in place by then, the aforementioned EU-US Data Privacy Framework.

Arielle Garcia, chief privacy officer at IPG’s media agency UM Worldwide, said: “The fine against Meta will reinvigorate calls for the replacement US-EU transfer framework. Given Meta’s intention to appeal the decision, and the undoubtedly amplified calls for progress on the new cross-border transfer framework during the five- to six-month implementation timeline, no immediate disruption is anticipated.

“It is important for advertisers to recognize that the issue of EU-US transfers is not unique to Meta – as we have seen with the flurry of EU DPA rulings on Google Analytics last year, so the disruption and uncertainty would ultimately not be limited to one platform.”

Additional reporting by Kendra Clark.