Meta Platforms Inc. is expected to be hit with another data-protection order on May 22, according to EU officials, over how it transfers European data to the US. There will be a fine, likely in the hundreds of millions of dollars based on previous sanctions, and Meta will be told that it can no longer send European user data to be processed on US servers.
The European Data Protection Board, contemplated a more serious punishment: forcing Meta to delete all of the European data it has held in the US for the past decade which is approximately 10 years’ worth of data. Personal data is critical to Meta’s targeted advertising business, and it has admitted in court filings to being unable to identify all of the different user information it has in its disparate databases. This would have been a kick in the teeth for the company, and difficult to comply with (Facial recognition firm Clearview AI was similarly ordered to delete millions of photos of French residents in 2021.)
Europe has a reputation for being the world’s leading watchdog on data protection, enacting robust privacy laws earlier than anywhere else and going after big tech. The reality is more mundane and often looks like an endless game of ping pong. Companies appeal, cases get tangled up in court, and privacy practices occasionally improve.
Meta can probably breathe a sigh of relief. It looks unlikely to get a deletion order next week, according to a person with knowledge of the matter who declined to be identified discussing the deliberations.
Meta might be able to carry on with the global cross-pollinating it does with people’s data. It will almost certainly appeal the forward-looking ban on bringing more European data to the US, delaying its impact by several months and possibly years, by which time the EU and the US may well have reached a new legal agreement governing data transfer.
A spokesman for Meta declined to comment. The company has previously said that it welcomes “the progress that policymakers have made towards ensuring the continued transfer of data across borders.”
The worst part of the sanctions could well be the fine, which comes at a trying time for the company financially. Facebook is cutting thousands of jobs and Mark Zuckerberg has dubbed 2023 the company’s year of efficiency.
Ordering tech firms to delete large swathes of data seems drastic, but Europe’s enforcement of its general data protection regulation regime has been weak. In the never-ending ping-pong game between EU regulators and big tech, that would have delivered a rare smash.
The lack of a deletion order is also disappointing for anyone who thinks big tech’s data surveillance business has gotten out of control and given that Meta has managed to spend more than a decade profiting from a free-for-all on people’s personal information with relative impunity.
“Fines are great, but when Google and others are found to have no legal right to use our data, they still have our data,” says Estelle Masse, global data protection lead for Access Now, a civil liberties group.