Getty Images/Tetra images RF

Meta fine highlights EU, US data sharing challenges

Until the new EU-U.S. Data Privacy Framework is established, Meta's $1.2 billion euro fine should serve as a warning to U.S. businesses handling EU personal data.

Meta's recent $1.2 billion euro fine serves as a warning to businesses of the ongoing data privacy issues between the U.S. and European Union, despite the two countries reaching an agreement last year on a new framework to facilitate legal data sharing.

In 2020, the Court of Justice of the European Union struck down a previous agreement for data sharing, called the EU-U.S. Privacy Shield, following the Schrems II court ruling that took issue with the way the U.S. government was handling EU personal data. Removal of the EU-U.S. Privacy Shield framework left companies in legal limbo when it came to the exchange of data between the EU and U.S. Companies risked noncompliance with the EU's General Data Protection Regulation without the legal data sharing framework, which was necessary because the U.S. has no data privacy law protecting EU data.

U.S. President Joe Biden and European Commission President Ursula von der Leyen reached an agreement in March 2022 on a new data sharing framework called the EU-U.S. Data Privacy Framework, which restored the legal safeguards for transatlantic data flows. However, the EU must still adopt and implement the new data sharing framework.

Meta's fine, issued by the Irish Data Protection Commission under the guidance of the European Data Protection Board (EDPB), related to the company's transfer of EU personal data to the U.S. starting July 2020. Meta used an alternate legal mechanism called standard contractual clauses -- a legal mechanism the company said complied with GDPR. It said it plans to appeal the decision.

"Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the U.S. government's rules on access to data and the privacy rights of Europeans," Meta said in a statement. "It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe."

If a diplomatic fix doesn't come soon, the impact across companies will be far greater than the fine itself.
Caitlin FennessyVice president and chief knowledge officer, International Association of Privacy Professionals

The decision to issue a record-breaking fine to Meta signals that companies have "a whole lot of risk on the table" that could lead EU businesses to demand data localization from U.S. companies or cause a switch to local alternatives, said Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals.

"The size of this record-breaking fine is matched by the significance of the signal it sends, that time is up," she said. "If a diplomatic fix doesn't come soon, the impact across companies will be far greater than the fine itself."

New framework will help but not solve issues

Given the recent fine handed to Meta, Fennessy said all eyes will now turn to the EU-U.S. Data Privacy Framework and the timetables for when it will be finalized and implemented. It's expected to come into force this summer.

However, the EU's European Parliament and EDPB have negative opinions on the framework, said Forrester analyst Enza Iannopollo. Even if the EU moves forward with the new EU-U.S. Data Privacy Framework, she said it would only be another temporary fix to long-standing data privacy issues.

"The need to facilitate compliance with the international data transfer requirements is well understood," Iannopollo said. "However, [this] decision shows that there are situations that create very high risk and European data protection authorities will continue to look into these cases, regardless of any frameworks."

The decision will force organizations to more deeply assess the risks their data practices create and make decisions on how to mitigate those risks based on well-established privacy principles, she said.

"All organizations handling personal data, and more so those experimenting with emerging technology such as generative AI, have a lot to learn from this decision," she said.

Businesses beyond tech giants have been worried about the challenges associated with sharing data between the U.S. and EU as they assess methods to stay compliant with GDPR until the new data sharing agreement is established, said Gartner analyst Nader Henein.

"It's the analogy of sitting in a foxhole, keeping your head down, and praying that nobody notices you," he said.

Even when the new data sharing framework goes into effect, Henein said it will be important for businesses to ensure GDPR compliance measures. The new framework could potentially be invalidated, like the previous privacy shield.

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget,
she was a general reporter for the
Wilmington StarNews and a crime and education reporter at
Wabash Plain Dealer.

Dig Deeper on CIO strategy

Cloud Computing
Mobile Computing
Data Center
and ESG