The European Union hit Meta, parent company of Facebook, Instagram, and WhatsApp, with a history-changing order to suspend data transfers to the US on Monday. The order comes with a €1.2 billion fine—about $1.3 billion—the largest ever fine under Europe’s General Data Protection Regulation (GDPR).
In April, Meta told investors that the risk of an upcoming privacy decision in the EU could cost the company 10% of its global advertising revenue. The order gives Meta six months to stop processing Europeans’ personal data in the US and to delete any such data already stored in US data centers.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said Andrea Jelinek, chair of the European Data Protection Board (EDPB), in a press release. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Meta said in a statement that it plans to appeal the ruling and that “there is no immediate disruption to Facebook in Europe.” The data in question: names, emails, IP addresses, messages, location, and more.
“This is not about one company’s privacy practices – there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer,” Meta wrote in a blog post Monday.
For years, experts questioned whether the EU would actually enforce the ideals in its sweeping GDPR privacy rules. Monday’s order is proof the EU means business.
The EDPB is a harsher update to a fine proposed back in January. The legal argument, essentially, is that Meta and other companies can’t force you to agree to data harvesting in their terms of service. If that logic holds up, it could spell the end of certain kinds of targeted advertising. One thing is certain: EU citizens are going to see even more pop-ups asking for consent to online tracking than they already do.
Meta and other big advertising companies like to say that people prefer “relevant” (aka targeted) ads, but when you frame the question in the context of privacy and pervasive data collection, most people aren’t on board. If Meta and the rest of the internet are forced to obtain meaningful consent for data harvesting, it could spell the death of targeted ads in the EU entirely, one of the world’s biggest ad markets, turning the web’s business model on its head.
However, this doesn’t mean that companies won’t find a way to preserve the privacy-less status quo. The more business-friendly US is working on a framework that would allow this kind of data transfer without violating the European privacy law. The EDPD order makes room for an agreement that would close the gap, and Monday’s decision ratchets up pressure on policy makers to make a deal.
While Meta’s statement signals optimism, the EU is a serious blow. The company may have to create an entirely separate systems to silo its European operation. That a project would be both expensive up front and less profitable in the long term.
The EU decision is part of a broader trend. We’re entering a new privacy era that could finally reign in many of the internet’s worst privacy offenses. But with a gaping hole where US privacy laws should be, the battle isn’t over yet.
There are no comprehensive federal privacy laws in the US. There’s widespread agreement on privacy issues, and curbing big tech is one of the few areas of common ground between Democrats and Republicans. But despite years of grandstanding, American lawmakers have made little progress. Many states passed their own privacy rules in the meantime, but American’s data is unprotected writ large.
Congress total failure on this issue made space for the dominant tech platforms to write the country’s privacy rules themselves.
In 2021, Apple introduced a new privacy setting called App Tracking Transparency. It gives iPhone users a way to block apps from tracking them across the internet, and the vast majority of users choose the more private option. Google’s set to make a similar and perhaps more dramatic change. The search giant’s so called “Privacy Sandbox” project will shut off third-party cookies in 2024, blocking the primary method companies have used to spy on consumers for 30 years.
Of course, the tech giants’ moves give them a number of advantages and deal serious blows to their competitors. Meta is one of the hardest hit. The company attributes $10 billion dollar losses to Apple’s privacy setting alone.
Meta wants its investors to know that everything is just fine, but the company understands the writing is on the wall. The strongest evidence of that fact is Mark Zuckerberg’s company is now called Meta, not Facebook, reflecting an effort to completely diversify the business and focus on building a virtual reality “metaverse” on the internet. The company laid off thousands of workers and plans to cut a total of 10,000 employees by the end of the year. The social media powerhouse appears to be floundering, though it’s not all bad news. Meta posted its first sales increase in almost a year this April.