Meta's record fine drives pressure for EU, U.S. data privacy

Eurasia Group Senior Analyst of Geo-Technology Nick Reiners joins Yahoo Finance Live to discuss Meta facing a record fine in Europe over violation of EU data privacy.

Video transcript


- Well, Facebook's parent company Meta is getting hit with a record-breaking $1.3 billion fine, the tech giant facing the penalty from EU regulators because of sending information of European users to the US. That was in direct violation with the European Union's privacy policies. Here's more on what this regulatory scrutiny means for Meta and the tech space.

Let's bring in Eurasia Group Senior Analyst Nick Reiners. Nick, good to talk to you today. The $1.3 billion price tag, certainly a very hefty one for Meta. But put this in context for us. How significant is this ruling not just for Meta but for the other big tech players?

NICK REINERS: Hi. Thanks for having me on the show. So it's very significant firstly for Meta because this is the biggest GDPR fine ever levied by any of the EU data protection regulators. And the GDPR is the EU's General Data Protection Regulation.

So 1.2 billion euros or $1.3 billion is the highest fine ever, but it's still lower than the maximum that could have been levied on Meta because the GDPR allows fines of up to 4% of total revenues, which would have been over $4.5 billion. So it's significant not only for Meta but for the other big tech companies, because the other big tech companies all rely on so-called standard contractual clauses to transfer data from the EU to the US. And the EU data protection authorities decided that these standard contractual clauses don't provide enough safeguards for European personal data. So that means that the other big tech companies will need to find a way to safely transfer data unless the new EU-US data privacy framework comes into force in time.

- Nick, do you see that coming into force in time? What do you think the timeline looks like for that and the pressure that the US now faces as a result of this?

NICK REINERS: I think it will come into force in time. It's been a long time coming. It's been over a year since President Biden announced that the deal in principle had been reached when he came to Brussels a year ago.

But now the I's are being dotted and the T's crossed. And it looks like the final decision on the European side will be done and dusted in July. So hopefully the full data privacy framework will be enforced by September at the latest. And that's going to be in time for Meta because the Irish Data Protection Commission has given Meta a five-month transition period in which to get it ready. So they have allowed enough time for this new framework to come into force.

- Nick, we have seen the EU really crack down through GDPR, but they're certainly not the only ones that have called for storing the data of their own users back home not abroad. We've seen the same argument here in the US, as well. I mean, you talk a little bit about the logistics of that, technically whether that's difficult at all, and whether, in fact, that's where we're headed because of the sheer concern about data collection and what that means for national security.

NICK REINERS: Indeed, it does seem like there's a lot of movement in that direction. Technically speaking, when we talk about data being transferred across the Atlantic, it's not really how it is in reality. In fact, data can cross the Atlantic many times a day. So the temporal reality doesn't always correspond to how we perceive it in our minds.

But there is this huge concern about US surveillance practices. And that is the fundamental problem as Meta has pointed out in their response that there is a clash between European privacy law and US surveillance practices. And that is what the EU likes to call a matter of digital sovereignty or data sovereignty. And as you say, there are other regulations that demand the same kind of data localization policies. We're seeing a new EU cloud certification scheme that is making US companies very upset and the US government very upset because it would essentially force US big cloud providers to set up a joint venture with an EU firm and store all European data in the EU and even have that company potentially majority controlled by a European company.

- How do you think this changes the way that tech companies operate? And to your point, yes, there's a conversation happening between the US and EU. As you say, there's likely going to be some kind of framework in place about data collection. But we're coming off of years of these tech companies not having to worry about where that is. And increasingly, we are seeing data having to be kind of walled up.

NICK REINERS: Indeed. If this data privacy framework, if it is again struck down by the European Court of Justice like its predecessors Privacy Shield and Safe Harbor, then companies might really be running out of options. Because the data protection authorities have decided that these standard contractual clauses don't work, that really removes one of the very last legal workarounds. So it might be that they have to start constructing the dedicated data centers in European soil.

But in fact, many of them are already doing this because they see the way the wind is blowing. And in some cases, it's not quite as difficult as sometimes made out. It's possible to rent data storage solutions. So they will find a way.

- Nick Reiners, good to talk to you today. I appreciate your time.