Ireland’s Data Protection Commission (DPC) fined Meta, the parent company of Facebook and Instagram, €1.2 billion ($1.3 billion) for sending European citizens’ personal data to the US in violation of the EU’s General Data Protection Regulation (GDPR), the EU’s sweeping data privacy law.
The commission also gave Meta five months to stop sharing Facebook user data with the US. (The ruling does not apply to data from Instagram or WhatsApp, both of which are owned by Meta.)
In a statement, Meta wrote that it disagrees with the Irish regulator’s decision, and plans to seek a stay of the order when it appeals. In the meantime, the company assured users there will be no immediate disruption to its services in Europe.
If Meta doesn’t win in its appeal, however, it needs a drastic solution: Either the company radically changes how it stores EU user data or it needs to withdraw entirely from the European market. Complying is complex, but leaving would come at the cost of foregoing lucrative advertisement revenue.
The EU-US data privacy framework is awaiting final approval
The DPC’s fine is the latest flare in an ongoing privacy battle between the EU and Meta, but there’s a big political question mark that could soon come into play.
The EU and US have agreed in principle to the Trans-Atlantic Data Privacy Framework, but this is awaiting final approval by the European Commission, which is expected later this summer. If the framework is finalized, Meta’s legal problems may be nullified.
Last year, Meta warned in a regulatory filing (pdf) that if a data pact isn’t adopted soon, “we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.” The company then issued a statement clarifying it is “absolutely not threatening to leave Europe”—rather, it had to disclose material business risks to investors.
But nearly a year later, the framework still hasn’t been adopted and the pressure is ramping up against Meta with a five-month deadline to figure out its data problem.
Meta’s $11 billion reason to stay
Anupam Chander, a technology law professor at Georgetown University, thinks Meta will try its best to comply, rather than pull out of Europe entirely. But that would involve “trying to rip apart the codebase and replicate it in Europe and rip apart its database and fragment it into multiple countries,” he told Quartz via email. “But it’s frighteningly complicated. What about a single post that attracts comments from Europeans, Americans, and others? Should the data for that single post be stored in multiple countries?”
In a separate post on Twitter, Chander said he feels like Meta has two real options: “End-to-end encryption for all of personal data, or ending personal data transfer to the U.S.”
John Davisson, senior counsel and director of litigation at the Electronic Privacy Information Center, was less sympathetic toward Meta. He told Quartz that the setback is “well-deserved,” writing that rather than improve its data practices in Europe Meta tried to “paper over the problem” and wriggle out of its obligations in court.
Still, he agrees with Chander that it’s unlikely Meta ever pulls out from Europe entirely.
Meta CFO Susan Li said in a recent earnings call that Meta makes “roughly 10%” of its global ad revenue from delivering Facebook advertisers to EU users. Considering Meta brought in $113 billion in total ad revenue last year, they would be taking a hit of around $11 billion each year by exiting Europe.
“That’s a tremendous incentive for the company to work out a technical solution,” Davisson said, “even if it means a significant changes to the way Facebook and Instagram works for EU citizens.”