- Reading time 2 Minutes
Ireland’s data protection authority has imposed a record fine of EUR 1.2 billion against Meta. Furthermore, all personal data must be filed in data centers located in the European Union in future, and no longer in the US. Meta has been given a period of 5 months in oerder to stop transferring data to the US and of 6 months in order to retrieve the data.
The decision, which Meta plans to appeal, is the latest in a years-long legal tug-of-war. Section 702 of the Foreign Intelligence Surveillance Act allows US intelligence agencies to obtain emails and other customer communications from US companies without court approval. The privacy provisions apply only to US citizens and residents. Although the EU has repeatedly urged US companies to protect European data from such access, this has never been fully implemented.
Unless US surveillance laws are changed, Meta must now fundamentally restructure its system. At the heart of the penalty is the fundamental legal conflict between US government regulations and European data protection law. The US Congress is waiting for an update to FISA Section 702; however, the privacy rights of non-US citizens have not been addressed in the debate so far.
Time will tell whether a court will uphold this decision. However, the transfer of data to the US has long been a problem and a risk that should not be taken lightly. The decision comes at the same time as the Data Protection Conference statement, which tightens the requirement for cloud providers outside the EU or secure third countries.