Facebook’s parent company Meta has been fined a record $1.3bn for violating European Union data protection laws.
Regulators on Monday found the tech giant unlawfully sent the personal data of European users to the United States.
They gave it five months to stop sending European user data to the US and six months to bring its data operations into compliance “by ceasing the unlawful processing, including storage, in the US” of European users’ personal data transferred in violation of the 27-member bloc’s privacy rules.
Meta said it had been singled out and announced plans to appeal what it called a “flawed” and “unjustified” punishment by the Republic of Ireland’s Data Protection Commissioner.
The fine comes after a decade-long battle by privacy activists that started when US intelligence whistle-blower Edward Snowden revealed tech giants knowingly handed data over to surveillance agencies.
In earlier rulings, EU courts found the privacy of European citizens was not adequately protected under US law.
EU and US leaders are working on a new agreement on data flow that they say will allow essential data transfers while safeguarding civil liberties.
But the European Parliament and regulators have expressed concerns. Campaigners fear US law enforcement authorities may still be able to access the data of EU citizens and say that people in the bloc should be given the same legal protections from surveillance as US citizens.
Al Jazeera spoke to Estelle Masse, senior policy analyst at Access Now, a global digital rights group, about the fine imposed on Meta. A lightly edited version of the interview follows.
Al Jazeera: This is a massive fine, even for one of the largest companies in the world. Is it justified?
Estelle Masse: It is a record fine under the EU privacy laws, so in that sense the number may seem like good news from a privacy perspective. But we are still disappointed with the decision at the core of it.
The core of the issue is whether or not Meta and Facebook can hold our information and move it to the United States. Time and time again, we’ve found that the United States did not have the necessary protections in place to ensure that our information would be protected once it has moved there and also that it would not be unlawfully accessed by other authorities.
Meta found itself in the middle of this situation but hasn’t taken any measures to adequately protect the information of Europeans.
So we are grateful to see finally this fine coming after 10 years of legal battles. But we would have expected the decision to order Meta to immediate deletion [of data by] Meta and not to give it a deadline of six months.
Al Jazeera: Can you explain how the user data transfer works? A user goes on Facebook, Meta collects their data and then sends it to the US where it’s used for ad-targeting. But as part of that process, the EU says that data is vulnerable to be scraped by US surveillance programmes. Is this accurate?
Masse: That’s a great summary of it. And the US does not have a data protection or privacy federal law that protects non-Americans in the way it protects Americans.
What’s been particularly problematic for many years is … tech giants monetising personal data of millions of us around the world while there is not this federal level of protection for information on the commercial sector, and then the scope of surveillance law in the US is so broad.
And that’s why it’s really important to see that European regulators are stepping in and issuing a really significant fine against a company that is not taking the necessary steps to protect our information.
But by requesting that the core of the decision be complied with within six months, we actually think that Facebook may not have to do anything because in six months’ time a new agreement between the EU and the US will likely be in place to allow for the transfer of information and Facebook will be able to keep all the data.
Al Jazeera: What are your specific concerns with this potential new deal?
Masse: Our concern with the new deal – even though it’s an improvement from the two previous ones that were struck down by our highest court – is that fundamentally the US has not changed its approach to surveillance.
It does what we call “bulk surveillance”, which means it collects a disproportionate amount of information to later find what may or may not be relevant. This means that information about everybody may be accessed, may be stored or stay in the US in case they need it for later – and this creates a wide array of privacy risks.
Now, the United States is taking steps in this new agreement to say that they would only access this information under specific circumstances and with specific reviews.
But the level of remedy and the level of oversight that we would get as Europeans would not match what American citizens necessarily have or even the level of scrutiny and oversight that we have over the surveillance regime in Europe.
So this mismatch over how much the state can access your data and how much also companies should be able to hold in the first place about you is still not fully addressed in this new agreement.
Even though it’s a step forward, we are still not there yet and we would have asked the two sides to continue negotiating to improve that deal. But in practice, this decision today creates a sort of deadline of six months for the two sides to finish the agreement. Otherwise, Facebook would be in a very complicated legal and political situation and have to potentially delete tonnes of information that it needs to operate.