European Union Fines Meta $1.3 Billion Because of NSA Spying Programs

Ireland's Data Protection Commission announced this week that Meta Ireland, the Irish subsidiary of Facebook parent company Meta, had violated privacy provisions of the General Data Protection Regulation (GDPR), a rule that went into effect in 2018. The GDPR mandated much stricter data privacy rules in the European Union (E.U.), which caused some growing pains upon implementation.

The Irish agency determined that Meta "transfer[red] personal data" from the E.U. to the U.S. in a manner that "did not address the risks to the fundamental rights and freedoms of data subjects," i.e. Europeans who use Facebook. It fined the social media firm 1.2 billion euros ($1.3 billion USD), the E.U.'s largest penalty on record.

But the fine seems to be based less on Meta's carelessness with customer data than the U.S. intelligence community's snooping practices.

Controversy over transatlantic data transfers goes back a decade, to Edward Snowden's disclosures about U.S. National Security Agency (NSA) spying programs. Among Snowden's revelations was PRISM, a program that according to The Verge "allows [intelligence agencies] to expedite court-approved data collection requests" of tech companies. Rather than a traditional warrant from a judge which would be susceptible to open records laws, the intelligence community largely relied on classified orders from the Foreign Intelligence Surveillance Court.

Data transfers between the U.S. and Europe had generally been allowed under a "safe harbor" legal framework since 2000. But key to that agreement was an understanding that all parties involved would generally safeguard users' privacy, and in the aftermath of the Snowden disclosures, the E.U. Court of Justice threw out the agreement in 2015. The parties formed a new agreement, known as the E.U.-U.S. Privacy Shield, the following year, but in 2020, the Court invalidated that agreement as well, again citing NSA spying programs. Meta's actions at issue would have been acceptable under the Privacy Shield but were no longer allowed after it was struck down.

The new judgment contains no allegations of specific data breaches, which one would expect with a penalty of over $1 billion. The Federal Trade Commission (FTC), for example, assessed a fine of between $575 million and $700 million against credit bureau Equifax after a 2017 data breach that exposed 147 million people's personal information. The FTC also hit Facebook with a $5 billion fine in 2019 for misuse of user data for the Cambridge Analytica scandal (a saga which, in retrospect, produced much more smoke than fire).

Rather, Meta's fine came as a result of the potential breach of information that could result from U.S. intelligence agency snooping. As Mike Masnick wrote at Techdirt, Meta was penalized because "it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That's basically it. The real culprit here is the US being unwilling to curb the NSA's ability to demand data from US companies."

As always, Meta can handle the fine: The company reported $116.6 billion in revenues last year. But smaller companies may not have that luxury. When countries pass onerous privacy regulations just to protect their citizens' data from the intelligence community's prying eyes, that cost is borne not by the spy agencies themselves but by the small companies forced to comply.