t
The European Union hit Meta, parent company of Facebook, Instagram, and WhatsApp, with a history-changing order to suspend data transfers to the US on Monday. The order comes with a €1.2 billion fine—about $1.3 billion—the largest ever fine under Europe’s General Data Protection Regulation (GDPR).
In April, Meta told investors that the risk of an upcoming privacy decision in the EU could cost the company 10% of its global advertising revenue. The order gives Meta six months to stop processing Europeans’ personal data in the US and to delete any such data already stored in US data centers.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said Andrea Jelinek, chair of the European Data Protection Board (EDPB), in a press release. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Meta said in a statement that it plans to appeal the ruling and that “there is no immediate disruption to Facebook in Europe.” The data in question: names, emails, IP addresses, messages, and location.
“This is not about one company’s privacy practices – there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer,” Meta wrote in a blog post Monday.
For years, experts questioned whether the EU would actually enforce the ideals in its sweeping GDPR privacy rules. Monday’s order is proof the EU means business.
The EDPB is a harsher update to a fine proposed back in January. The legal argument, essentially, is that Meta and other companies can’t force you to agree to data harvesting in their terms of service. If that logic holds up, it could spell the end of certain kinds of targeted advertising. One thing is certain: EU citizens are going to see even more pop-ups asking for consent to online tracking than they already do.
Meta and other big advertising companies like to say that people prefer “relevant” (aka targeted) ads, but when you frame the question in the context of privacy and pervasive data collection, most people aren’t on board. If Meta and the rest of the internet are forced to obtain meaningful consent for data harvesting, it could spell the death of targeted ads in the EU entirely, one of the world’s biggest ad markets, turning the web’s business model on its head.
However, this doesn’t mean that companies won’t find a way to preserve the privacy-less status quo. The more business-friendly US is working on a framework that would allow this kind of data transfer without violating the European privacy law.
The EU decision is part of a broader trend. We’re entering a new privacy era that could finally reign in many of the internet’s worst privacy offenses. But with a gaping hole where US privacy laws should be, the battle isn’t over yet.
This article is part of a developing story. Our writers and editors will be updating this page as new information is released. Please check back again in a few minutes to see the latest updates. Meanwhile, if you want more news coverage, check out our tech, science, or io9 front pages. And you can always see the most recent Gizmodo news stories at gizmodo.com/latest.
Source: Gizmodo