Facebook-parent Meta has perhaps become the most high-profile casualty of a long-running privacy dispute between Europe and the United States — but it may not be the last.
Meta has been fined a record-breaking €1.2 billion ($1.3 billion) by European Union regulators for violating EU privacy laws by transferring the personal data of Facebook users to servers in the United States. Meta said Monday it would appeal the ruling, including the fine.
The historic fine against Meta — and a potentially game-changing legal order that could force Meta to stop transferring EU users’ data to the United States — isn’t just a one-off decision limited to this one company or its individual business practices. It reflects bigger, unresolved tensions between Europe and the United States over data privacy, government surveillance and regulation of internet platforms.
Those underlying and fundamental disagreements, which have simmered for years, have now come to a head, casting a significant shadow over thousands of businesses that depend on processing EU data in the United States.
Beyond its huge economic implications, however, the fine has once again highlighted Europe’s deep mistrust of US surveillance powers — right as the US government is trying to build its own case against foreign-linked apps such as TikTok over similar surveillance concerns.
The origins of Meta’s fine this week trace back to a 2020 ruling by Europe’s top court.
In that decision, the European Court of Justice struck down a complex transatlantic framework Meta and many other companies had been relying on until then to legally move EU user data to US servers in the ordinary course of running their businesses.
That framework, known as Privacy Shield, was itself the outgrowth of European complaints that US authorities didn’t do enough to protect the privacy of EU citizens. At the time Privacy Shield was created, the world was still reeling from disclosures made by National Security Agency leaker Edward Snowden. His disclosures highlighted the vast reach of US surveillance programs such as PRISM, which allowed the NSA to snoop on the electronic communications of foreign nationals as they used tech tools built by Google, Microsoft, and Yahoo, among others.
PRISM relied on a basic fact of internet architecture: Much of the world’s online communications take place on US-based platforms that route their data through US servers, with few legal protections or recourse for either foreigners or Americans swept up in the tracking.
A 2013 European Parliament report on the PRISM program captured the EU’s sense of alarm, noting the “very strong implications” for EU citizens.
“PRISM seems to have allowed an unprecedented scale and depth in intelligence gathering,” the report said, “which goes beyond counter-terrorism and beyond espionage activities carried out by liberal regimes in the past. This may lead towards an illegal form of Total Information Awareness where data of millions of people are subject to collection and manipulation by the NSA.”
Privacy Shield was a 2016 US-EU agreement designed to address those concerns by making US companies certifiably accountable for their handling of EU user data. For a time, it seemed as if Privacy Shield could be a lasting solution facilitating the growth of the internet and a globally connected society, one in which the free flow of data would not be impeded.
But when the European Court of Justice invalidated that framework in 2020, it reiterated longstanding surveillance concerns and insisted that Privacy Shield still didn’t provide EU citizens’ personal information the same level of protection in the US that it enjoys in EU countries, a standard required under GDPR, the EU’s signature privacy law.
The loss of Privacy Shield created enormous uncertainty for the more than 5,300 businesses that rely on the smooth transfer of data across borders. The US government has said transatlantic data flows support the more than $7 trillion dollars of economic activity that occurs every year between the United States and the European Union. And the US Chamber of Commerce has estimated that transatlantic data transfers account for about half of all data transfers in both the US and the EU.
The Biden administration has moved to implement a successor to Privacy Shield that contains some changes to US surveillance practices, and if it is fully implemented in time, it could prevent Meta and other companies from having to suspend transatlantic data transfers or some of their European operations.
But it’s unclear whether those changes will be enough to be accepted by the EU, or whether the new data privacy framework could avoid its own court challenge.
The possibility that US-EU data transfers may be seriously disrupted is refocusing scrutiny on US surveillance law just as the US government has been sounding its own alarms about Chinese government surveillance.
US officials have warned that China could seek to use data collected from TikTok or other foreign-linked companies to benefit the country’s intelligence or propaganda campaigns, using the personal information to identify spying targets or to manipulate public opinion through targeted disinformation.
But US moral authority on the issue risks being eroded by the EU criticism, a problem for the US government that may only be compounded by its own missteps.
Just last week, a federal court described how the FBI improperly accessed a vast intelligence database meant for surveilling foreign nationals in a bid to gather information on US Capitol rioters and those who protested the 2020 killing of George Floyd.
The improper access, which was not “reasonably likely” to retrieve foreign intelligence information or evidence of a crime, according to a Justice Department assessment described in the court’s opinion, has only inflamed domestic critics of US surveillance law, and could give ammunition to EU critics.
The intelligence database at issue was authorized under Section 702 of the Foreign Intelligence Surveillance Act — the same law used to justify the NSA’s PRISM program and which the EU has repeatedly cited as a danger to its citizens and a reason to suspect transatlantic data sharing.
While the US distinguishes itself from China based on commitments to open and democratic governance, the EU’s concerns about the US are not much different in kind: They come from a place of deep mistrust of broad surveillance authority and suspicions about the potential misuse of user data.
For years, civil liberties advocates have alleged that Section 702 enables warrantless spying on Americans on an enormous scale. Now, the FBI incident may only further validate EU fears; add to the existing concerns that led to Meta’s fine; contribute to the potential unraveling of the US-EU data relationship; and damage US credibility in its push to warn about the hypothetical risks of letting TikTok data flow to China.
If a new transatlantic data agreement is delayed or falls apart, Meta won’t be the only company stuck with the bill. Thousands of other companies may get caught in the middle, and the United States will have to hope nobody looks too closely at why while still trying to make a case against TikTok.