The European Union, a market of 400 million consumers spread across 26 different countries, has become the world’s most dogged tech watchdog, as evidenced by a recent fine levied against Meta.
On Monday, the Irish Data Protection Commissioner (DPC), backed by the European Data Protection Board (EDPB), meted out its largest-ever fine against a tech company: 1.2 billion euros ($1.3 billion), handed down to Meta (née Facebook) for transferring European users’ data to the U.S. under standard contractual clauses, which European regulators decided was not sufficiently protecting European citizens’ rights.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive,” Andrea Jelinek, chair of the EDPB, said in a statement. “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
The decision could have broader consequences. Often enough, disciplinary actions imposed by European bureaucrats cause companies to consider new approaches worldwide to meet the most stringent levels of regulation. In just the last few months, the EU has developed a European AI Act and threatened antitrust action against a number of companies.
In Meta’s case, the tech giant breached the EU’s General Data Protection Regulation (GDPR), a suite of data privacy laws passed in the late 2010s and designed to enshrine the right to privacy for European citizens. Many countries have followed suit with their own data protection laws—around 145 different jurisdictions, according to one analysis—while California’s Consumer Privacy Act (CCPA) is modeled on the GDPR. It’s an indication of where the EU leads, others follow—and that marching in lockstep has perhaps helped embolden the EU to take the action it did against Meta.
“The EU has been working on privacy protection for decades, and given the determination of its highest court, if not the European Commission, that effort is finally bearing fruit,” says Ian Brown, visiting professor at the Getulio Vargas Foundation Law School in Rio de Janeiro.
Brown says that the European fine was imposed in part because the U.S. doesn’t have a federal data protection law similar to the GDPR. “The U.S. is now a real outlier in not having a comprehensive national law, as well as in the pervasiveness of its surveillance efforts in the democratic world,” he says. “That will continue to cause problems for U.S. organizations.”
Anupam Chander, a law professor at Georgetown University, warns that the EU’s aggressive moves against tech companies could unduly punish American companies while overlooking sins of homegrown, European firms. Chander says it’s easier for the European regulators to police foreign companies, not least because the EU is an economic union that seeks to promote its own firms.
“Sometimes we need regulation of tech enterprises and digital space, but sometimes there can be a greater amount of self-interest in driving these efforts than may be publicly stated,” Chander says, adding that while the EU could have targeted any number of European countries transferring data to the United States, regulators singled out Meta for a reason. “Facebook happens to be a convenient target for European data-transfer enforcement. It’s a large American company with a few people who will sympathize with their plight.”
The implications for users worldwide are significant. We’re likely to see more protections put in place to ensure data isn’t misused—though as Europeans can attest, that comes with more friction when it comes to doing the basics of being online, including browsing the internet. The threat of outsize fines, such as those levied against Meta today, also stymies innovation, according to one analysis.
Nevertheless, stricter regulation of tech companies after years of relative laissez-faire policymaking may be a good thing. Polling consistently suggests that U.S. citizens see tech firms in a negative light, and the need for more tech regulation is one of the few unifying topics across the political spectrum.
Whether Americans will support tech regulation that comes with a strong European accent is another question entirely.