EU Hits Meta With Billion-Dollar Fine for Failing to Secure Users' Facebook Data

pcmag.com:

Meta has six months to get the data of European Facebook users off its US servers and owes the European Union €1.2 billion ($1.3 billion) under a decision announced Monday(Opens in a new window) by the European Data Protection Board (EDPB).

The board’s 222-page decision (PDF(Opens in a new window)) focuses less on what Meta’s Irish subsidiary, which runs its European operations, has done with the information of EU Facebook users and more on what it can’t do to safeguard that data from the curiosity of the National Security Agency. 

The EDPB held that the latter shortfall violates a core principle of the General Data Protection Regulation(Opens in a new window), the vast set of privacy rules that went into effect five years ago. Firms doing business in the EU cannot transfer people’s data out of it without securing “appropriate safeguards” that include “enforceable data subject rights and effective legal remedies.” 

As Irish data protection commissioner Helen Dixon summarized in the EDPB ruling, Facebook “does not have in place supplemental measures which compensate for the inadequate protection provided by US law.”

That’s been an existential issue for US tech firms with transatlantic operations ever since Edward Snowden’s 2013 revelations of bulk surveillance by the NSA. It led to a complaint filed with the EU by Austrian privacy activist Maximillian Schrems that Facebook had left his information exposed to US surveillance agencies. In 2015, the Court of Justice of the European Union agreed with him and struck down a 2000-vintage “Safe Harbor” agreement between the US and the EU that authorized transatlantic data flows.

A revised Privacy Shield agreement meant to address that ruling itself got thrown out(Opens in a new