Facebook owner Meta has been hit with a record €1.2 billion fine for grave violations of EU privacy law over data transfers to the US, which were struck down by a European court ruling three years ago. This is a huge sum. But it is merely a blip when measured against the vast scale of Meta’s business: its profit in the first three months of 2023 was €5.26 billion.
Still, the rate at which Mark Zuckerberg’s company is racking up sanctions would be enough to break a smaller enterprise. The new fine brings total penalties against Meta to some €2.5 billion since a new data regime took force in 2018. This is real money for sure, although the reputational fallout from a succession of adverse findings may have a greater impact than the financial hit.
There are questions also for the Republic’s data protection commissioner, Helen Dixon, who is de facto chief data regulator for Europe
As with previous penalties, Meta disputed the findings and resolved to make a court appeal. But the company has now been found on several occasions to have flouted Europe’s general data protection regulation (GDPR), a body of law designed to toughen scrutiny over business exploitation of personal data. These are very serious findings. Despite voluble protests from Meta, expensive legal manoeuvres and insistent claims of unfair treatment at the hands of regulators, this is a bad look for Zuckerberg and his crew.
For hundreds of millions of people who use wildly profitable Meta platforms such as Facebook, WhatsApp and Instagram, this must raise questions as to what exactly happens with the data they and their children entrust to the company.
There are questions also for the Republic’s data protection commissioner, Helen Dixon, who is de facto chief data regulator for Europe. This flows from EU law that says national data regulators where a multinational company has its European headquarters must regulate the company’s pan-European data operations. Dixon is in the hot seat because the State is an EU hub for big tech groups such as Meta, Apple, Google, Microsoft, Twitter, TikTok and many more.
The upshot is that this large penalty in the name of the Irish commissioner is, in reality, a European fine that she did not seek
The Irish regulator is often attacked by certain fellow regulators and privacy campaigners for acting too slowly against Big Tech and for sanctions dismissed as too small to hurt. She is quick to reject such critics. Yet the new penalty against Meta came only after a dispute-resolution process in Brussels with fellow regulators, the latest in a line of time-consuming arguments at the European Data Protection Board. What is more, the €1.2 billion sanction was imposed only after the European board “instructed” regulators in Dublin to reverse a draft decision not to impose any fine.
The upshot is that this large penalty in the name of the Irish commissioner is, in reality, a European fine that she did not seek.
Five years ago, the GDPR was heralded as a decisive move towards corporate accountability for the excesses of social media. However, Meta’s actions suggest it sees little to fear. Whether it was ever a good idea to hand pan-European responsibilities for policing the rules to national regulators is another matter.