Meta, the parent company of Facebook, has been fined a record €1.2 billion ($1.3 billion) by the European Union for violating its data privacy laws. The fine was issued by Ireland’s Data Protection Commission, which is Meta’s lead regulator in the EU, and is the largest ever levied under the EU’s General Data Protection Regulation (GDPR), which went into effect in 2018.
Meta was fined for transferring the personal data of EU users to the United States without adequate safeguards in place to protect that data from U.S. government surveillance. The EU has long been concerned about the U.S. government’s access to the personal data of EU citizens, and the GDPR was designed to address those concerns. For historical context, prior to 2020, these data transfers were covered under Privacy Shield, a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. It was established in 2016 as an alternative to the Safe Harbor Agreement, which was invalidated by the European Court of Justice in 2020.
The fine against Meta could have broad implications for businesses handling the data of EU citizens, across virtually all industries. Those businesses will need to make sure that they are in compliance with the GDPR and that they have adequate safeguards in place to protect the personal data of EU citizens. Increased enforcement action from EU regulators has also been expected, absent a new agreement between the US and EU’s data privacy regulators, which has not come to fruition.
Here are some of the potential implications of the Meta fine for other businesses that handle data:
While Meta has been the first company subject to penalty post-Privacy Shield, an untold number of multi-national corporations in virtually every industry, from finance to retail and manufacturing, could also potentially be liable for cross-Atlantic data transfers. It remains unclear how the EU’s regulators intend to address enforcement. Under GDPR, they could potentially stop data transfers to the US altogether, though doing so would likely have broad economic impacts. Still, the risk of being in violation of GDPR is significant for businesses handling EU citizens’ data.
A strict interpretation of GDPR could require businesses to establish data processing capabilities in each country or data jurisdiction they do business in. Data center capacity is more limited in Europe, with far less buildable land to add additional capacity than in the US. The need to quickly add significant cloud capacity in Europe could drive the cost of such services higher, both in the EU and globally. Additionally, the supply chain effect could also drive the components used in data center construction and operation higher, with potentially widespread economic impact.
For individual businesses, the costs of compliance with post-Privacy Shield GDPR go far beyond computing costs. Implementing new data handling processes, potentially having to re-engineer software to keep data within Europe, and finding sufficient staffing to facilitate all of these changes is an expensive prospect for companies in the US handling EU data.
US businesses that can’t afford to comply with this new data paradigm may find that accessing European markets becomes difficult or impossible. Secretary of Commerce Wilbur Ross recently estimated the value of trans-Atlantic business at over $7 trillion and the potential harm to businesses and the customers they serve caused by the restriction of this trade is difficult to measure, but the risk cannot be understated. Absent a new data agreement between the US and EU, however, companies are likely already reconsidering their European business strategy.
Despite the apparent size of this fine, Meta escaped the worst of the possible penalties. Regulators could have imposed daily penalties until the company fixed its processes, or gone after 4% of Meta’s global revenues. And regulators could have targeted other names in big tech, but they didn’t. Today’s EU regulators are imposing minimum fines. Tomorrow’s regulators may take privacy seriously and impose the full weight of penalties on offending companies. The time to fix your own company’s policies and processes is today.
If your organization is struggling under the weight of growing data volumes while maintaining privacy and security, we’d love to chat with you!