Meta data misuse fine smashes billion-dollar threshold

What next for the billion-dollar data misuse case?
22 May 2023

Meta is a frequent offender when it comes to GDPR.

The tech giants have seemingly been in a race for some years to see which of them can be fined the most for being reckless, irresponsible, and downright dangerous in their misuse of their users’ data. Meta has frequently been on a mission to outdo its own previous “company best” in this regard, and has regularly smashed like a coke-addled truck driver on a mission to nowhere through the provisions of the European Union’s data protection legislation, commonly known as the GDPR.

Now, Meta has outdone itself again, and left Amazon’s previous record-breaking fine of three-quarters of a billion dollars in the dust. The company now has the dubious historical distinction of being the first tech giant to rack up a single-case fine for data misuse that exceeds $1bn.

Billion dollar misbehavior.

In fairness to Meta, the mega-fine is not the result of any relatively new or recent data misuse, albeit the behavior being censured is ongoing to this day. It’s the final result of a long-churning case initially brought in 2013. And the issue that has landed it with the largest fine for data misuse so far in history is the transfer of user data out of Europe to the US for processing.

If that sounds an innocuous or accidental thing, and before we get too sentimental about Meta’s right to make a living through its targeted use of user data, it was for the most part moving the data to the US specifically because the regulatory regime that governs what it can legally do with its users’ data is significantly less stringent in the US than it is in the EU.

The Irish Data Protection Commission (DPC), which frequently acts as Europe’s de facto data privacy arbiter, said Meta’s EU-US data flows had depended on clauses in its contracts that “did not address the risks to the fundamental rights and freedoms” of users.

It also noted that the EU’s Court of Justice had already ruled against the company in 2020, demanding that Meta guarantee better protection for users’ data against invasive scrutiny by US spying and surveillance programs.

Meta has at least five months to stop its pending data transfers and just six months to stop its unlawful processing and storage of data in the US. For the benefit of brand clarity, neither Instagram nor WhatsApp are subject to the order, so this is a ruling that applies to the platform-formerly-known-as-Facebook, rather than across the board at Meta’s social media empire.

Meta is appealing…

Needless to say, Meta is appealing the fine – and there are already plans to put in place a legal method of sending data between the continents, which could potentially come into effect across the summer of 2023, but which might also face legal challenges en route to adoption.

Nick Clegg, Meta’s president of global affairs, said the company was disappointed to have been “singled out” for using “the same legal mechanism as thousands of other companies.”

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US” said Clegg, explaining why the company would appeal. For a worldwide audience, it might be worth understanding that Nick Clegg is a former UK political leader widely credited with ensuring the electoral oblivion of his party for a generation, having campaigned on an issue of social justice, only to U-turn on it when his party joined a coalition government.

The cases are of course entirely unrelated, but regulators in the EU are therefore unlike to set much store by Mr Clegg’s interpretation of flawed and dangerous judgments – or Meta’s either, for that matter.

The point of crucial importance to Meta is that if, for instance, it entirely suspended its data transfer practices between the EU and the US, it has already explained in an earnings call that it would lose a predicted 10% of its advertising revenue – which amounts to a sum many times larger than its $1bn mega-fine.

That’s in keeping with Meta’s traditional practices when it comes to data privacy rules in Europe – the sums it is fined may, to any ordinary person or business, seem enormous beyond proportion, but the consequences of obeying the rules are still significantly more damaging to the company’s bottom line.

The acceptable cost of doing business.

Privacy activist Max Schrems, who originally brought the case that has resulted in the billion-dollar fine, made the point that GDPR legislation provided for the fine to be up to four times as high as it was.

The point about which is that Meta – and other social media platforms that regularly end up in hot water for their disregard of European privacy rules – regard the mega-fines as still being the more acceptable cost of doing business.

Negotiating the numbers downward is merely Meta attempting to minimize the impact of its fundamental business model to its own bottom line.

All of which is worth remembering when US lawmakers threaten to ban TikTok as a potential security threat over the idea that its users’ data might be sent outside of the States and used in some nebulously nefarious way by the Chinese government.