Meta CLO: $1.3B EU data-transfer fine bodes ill for other U.S. companies

Facebook parent company Meta is being made an example of by the European Data Protection Board for processing data on EU consumers the same way thousands of other U.S. companies do, Meta’s chief legal officer, Jennifer Newstead, said in a statement she released with the company’s president of global affairs, Nick Clegg.

“This is not about one company’s privacy practices,” Newstead and Clegg said. “There is a fundamental conflict of law between the U.S. government’s rules on access to data and European privacy rights.”

The Irish Data Protection Commission (DPC), an EU enforcer of the General Data Protection Regulation (GDPR) enacted in 2018, on Monday hit Meta with the biggest privacy fine ever, $1.3 billion, for transferring data on EU Facebook users to its U.S.-based data centers.

At the core of EU privacy concern isn’t Facebook’s use of the data per se, but U.S. government surveillance of the data – something that was classified until 2013, when Edward Snowden, then a sub-contractor for the National Security Agency, disclosed what was happening in a leak that sent shockwaves across the globe.

Absent a framework for EU Facebook consumers to challenge federal government surveillance of their data while it’s stored in U.S. data centers, Meta is violating GDPR.

The Data Protection Commission is giving Meta until the fall to transfer the data back to EU servers.

New privacy framework

In their statement, Newstead and Clegg said Meta, with its eye on negotiations between the U.S. and EU on a new transatlantic privacy agreement, intends to keep the data on U.S. servers for now.

Should the agreement, called the Data Privacy Framework, be accepted by both sides, Meta’s data will be able to stay in the U.S.

President Biden proposed the new agreement in an executive order last year, but the EU hasn’t agreed to it yet.

“Policymakers in both the EU and the U.S. are on a clear path to resolving this conflict,” Newstead and Clegg said. Assuming it’s agreed to, it would “enable the free flow of transatlantic data.”

Should the agreement remain mired in differences, thousands of U.S.-based companies could face the same kind of enforcement action that Meta is dealing with currently.

Salesforce, Zoom, Google and Microsoft are among the bigger companies that are in the same situation as Meta, but there are thousands of small- and mid-sized U.S.-based companies that do business in the EU and similarly transfer data to U.S. servers.

Bigger companies could probably manage the costs of building EU-based data centers and transferring data back to the EU if no agreement is worked out, analysts say, but it could be cost prohibitive for smaller companies.

“While some major companies will be able to afford EU-based data centers to avoid transfers to the U.S., others will not and could either run the risk of violating the GDPR or cut off data from EU users,” a Politico report says.

“Some companies will say it’s too risky to transfer data out of the EU,” Joe Jones, director of research and insights for the International Association of Privacy Professionals, said in the Politico report. “Others will carry on and try to remain under the radar until there’s an adequate decision.”

This “is a conflict that neither Meta nor any other business [can] resolve on its own,” Newstead and Clegg said. “We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.”

Meta says it will fight the action and fine.

“We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines,” Newstead and Clegg said.