The first invoices arrived in September. Meta wants the base changed before they do.
Meta has lodged a legal review against Ofcom over the way the regulator calculates fines and penalties under the UK’s Cyber Security Act, the High Court was told on Thursday.
The argument is small on the surface and large underneath. Ofcom’s methodology bills platforms based on what it calls qualified global income, the global income associated with the regulated service rather than just the UK slice.
Fines apply in the same way and can be up to 10% of that global amount. Meta’s position, which has also been explained outside the court, is that any tax should reflect the country where the service is controlled.
💜 for EU tech
The latest talk from the EU tech scene, a story from our genius founder Boris, and some incredible AI art. It’s free, every week, in your inbox. Register now!
“We and others in the technology industry believe that (Ofcom’s) decisions on how to calculate fees and potential fines are disproportionate,” a spokesperson for Meta told reporters.
We believe that fees and fines should be based on regulated services in the countries in which they are regulated. This will still allow Ofcom to impose the largest fines in the history of UK business.”
Ofcom said that this framework has been put into law which was passed by Parliament and that it has discussed in detail how it is to be used. “Disappointingly, Meta opposes the payment of the fines, and any fines that may be levied against the companies in the future, calculated on this basis,” the regulator said.
What is actually at stake
The funds themselves aren’t huge in Meta terms. Ofcom has signaled that the tax will fall to between 0.02% and 0.03% of eligible worldwide income, with a £250m income threshold for liability and a £10m UK income floor below which providers are exempt. For Meta, that translates into several tens of millions of pounds a year on a revenue base of around $165bn.
The exposure of the sentence is a large number. The Cyber Security Act allows Ofcom’s best services up to 10% of eligible global revenue, the same multiplier used by the GDPR. In Meta’s calculations for 2025, the theater ceiling remains at $16bn wide. Whether the calculation starts worldwide or just for UK income makes the difference between a painful remedy and one that doesn’t.
Ofcom’s lawyer, Javan Herberg, told the court that the regulator intends to issue the first round of invoices in the third quarter of this year, possibly in September. If Meta wins, refunds may follow. That timeline explains the urgency: fighting the methodology after invoicing can mean returning money already paid.
Meta’s challenge is procedural rather than constitutional. The company does not dispute that the Cybersecurity Act itself is illegal. It argues that Ofcom’s definition of “relevant global income” reaches beyond what was intended by Parliament and that the resulting figures are inconsistent within the meaning of public law principles.
Those rhymes go with it proportionality fight Meta also works with Brusselswhere Meta argued that the Digital Markets Law Commission’s definition goes beyond what the text supports.
The Supreme Court will not rule on the merits yet. Thursday’s hearing covers timing, refund mechanisms and the status of the review process. A firm decision is unlikely before the autumn, by which time Ofcom will have issued the first invoices.
If Ofcom succeeds, the methodology stands and the UK government joins the EU’s GDPR and DSA in measuring fines on global income. If Meta succeeds, Ofcom will have to reassess; the consequences will extend to TikTok, X, Snap, Pinterest and other major platforms, none of which have joined the Meta coverage publicly but most of which are believed to share the fundamental objection.
Meta’s relationship with British and European regulators has long been fraught. Meta has now amassed more than €2.5bn in EU finesmore than half of the cumulative GDPR fines levied across the bloc, and the company liked most of them. Ofcom investigation of Telegram CSAM It is one of the ongoing Online Safety Act investigations into major platforms, alongside Ofcom’s letters in March seeking evidence of child safety improvements from Facebook, Instagram, Roblox, Snapchat, TikTok and YouTube.
The legislative review takes place at a time when the regulation of the Internet Security Act is moving from the establishment to implementation. Ofcom fined 4chan £520,000 in March and AVS Group £1.05m in December for failing to check age. The questions raised by the Meta about how the meter is read are the very ones that will open up the next round of cases, and they stay close. long criticism of the Internet Security Act from social groups that oppose the scope of the law is already too broad.
September will tell whether the company has bought itself a refund, a change of practice or a footnote in the first OSA bill of its life.
