The European Union (EU) recently handed Meta, the owner of the Facebook social media platform, the largest data privacy fine on record, a EUR 1.2 billion ($1.29 billion) penalty for failing to properly safeguard European Facebook users’ data stored and processed in US data centers. The EU penalty is driven by concerns over artificial intelligence (AI) and Generative AI (GenAI), according to research conducted by GlobalData.
Emma Mohr-McClune, Chief Analyst Telecoms Practice, Technology at GlobalData, comments: “This eye-watering fine – the largest ever in the history of GDPR penalties – sends a clear signal to all digital service providers thinking of evolving advertising and targeting products further with AI and GenAI and applying it to European Facebook users’ personal data that lands in US data centers. In the age of AI and GenAI, this isn’t going to work.”
According to Mohr-McClune, Meta has a reasonably strong legal case for its already-announced appeal. Since 2020, Meta has been using the same Standard Contractual Clauses (SCCs) legal tool that all US digital service providers use to provide transatlantic data flow safeguards – a tool, which the EU previously approved. Secondly, the company has a case that it has been singled out for penalty, so there’s a discrimination argument to support the appeal. And thirdly, the industry is awaiting the publication of a new framework – previously agreed last year by US President Joe Biden and European Commission President Ursula von der Leyen – which may come into effect in just a few months.
Mohr-McClune observes: “What’s driving this tough approach is fear of AI. The recent advances in AI and Gen AI will bring a sea change to digital and mobile digital advertising targeting techniques – and advertising is the lifeblood of Meta’s Facebook revenues. This EU fine is essentially a call to action, and it goes out to all US digital players: Either figure out a federated system whereby European Facebook data can stay in Europe, where the EU can better assert GDPR privacy standards, or lobby the US government to tighten US surveillance law standards to bring the transatlantic data flow closer to GDPR standards. But Meta will hardly like that message.”
Meta has around 20 data centers worldwide, with a vast majority of them based in the US and currently just three in Europe. The last-built European data center required an investment of EUR 1.7 billion and took two years to build before coming online in 2019. Further investment in European data centers is not on the Meta agenda right now, and certainly not part of CEO Mark Zuckerberg’s ongoing ‘Year of Efficiency’ cost-saving drive, which has already included several high-profile layoff waves.
Mohr-McClune concludes: “To be fair, Meta hasn’t been the most advanced to date in AI and GenAI development, and there are bigger players with more developed AI strategies that also store and process European data in the US that the EU’s data privacy agencies could have targeted. But this is about the signal, and the EU has chosen the Facebook platform for what could be the first of many mega GDPR-violation fines over the transatlantic data flow.”