May Mark Zuckerberg End Up in Jail?
An International, EU, French & Belgian Law Survey
Mark Zuckerberg has never been charged with a crime. Not in the United States, not in Europe, not anywhere on Earth.
And yet. I spent weeks mapping every statute, every pending case, every jurisdictional lever that could, in theory or in practice, lead to his arrest. The legal net is tightening; the question deserves a rigorous answer from someone who reads criminal codes for a living.
Here is what I found.
The Numbers First
Let’s get the scale right. Meta has paid or committed to paying over $8 billion in US penalties and settlements: the $5 billion FTC fine (July 2019), $1.4 billion to Texas for biometric data violations (July 2024, the largest settlement ever obtained by a single US state), $725 million for Cambridge Analytica, and $650 million under Illinois’ BIPA.
In Europe, GDPR fines exceed €2.8 billion, including the record €1.2 billion imposed by the Irish DPC in May 2023 for unlawful EU-US data transfers. The European Commission fined Meta €200 million under the Digital Markets Act in April 2025; its “consent or pay” model violated Article 5(2) of Regulation 2022/1925.
In US courts right now, over 2,325 pending actions sit consolidated in MDL No. 3047 before Judge Yvonne Gonzalez Rogers in the Northern District of California. Forty-two state attorneys general are suing Meta. Bellwether trials began in early 2026.
But here is the detail that matters: Zuckerberg was dismissed as an individual defendant in both April and November of 2024. The court held that control of corporate activity, standing alone, does not meet the standard for personal liability.
The corporate veil holds. For now.
Pathway 1: Perjury Before Congress (United States)
The simplest criminal risk may be the most immediate. Zuckerberg has testified under oath before Congress multiple times. On April 9, 2025, whistleblower Sarah Wynn-Williams told the Senate Judiciary Subcommittee on Crime and Counterterrorism that Meta built censorship tools for the Chinese Communist Party, briefed Chinese officials on AI technology, and that Zuckerberg personally approved these initiatives. Senator Josh Hawley openly called for a criminal referral to the DOJ.
The legal basis: 18 U.S.C. § 1621 (perjury) carries up to five years. So does 18 U.S.C. § 1001 (false statements), which, unlike perjury, does not even require an oath.
Congressional perjury prosecutions are rare. Fewer than two dozen since 1945. Zuckerberg’s political rapprochement with the current administration makes the DOJ appetite for such a case close to zero in the near term. Still, testimony is forever. Administrations change. Those transcripts will outlast every one of them.
Pathway 2: FTC Consent Order Violations (United States)
Most people overlook this one. The 2019 FTC consent order did not just impose a $5 billion penalty. It created a personal compliance obligation for Zuckerberg himself. He must submit quarterly and annual certifications that Meta’s privacy practices comply with the order, and review material privacy risks and decisions each quarter. These obligations run through approximately 2039.
A false certification exposes him to individual civil and potentially criminal penalties. No corporate veil to pierce; the obligation is his alone.
In 2023, the FTC proposed modifying the order to ban Meta from monetizing children’s data entirely, alleging ongoing violations. Dissenting Commissioners Chopra and Slaughter had already criticized the 2019 order for not naming Zuckerberg personally in the complaint. If the FTC establishes that he knowingly signed false compliance certifications, the criminal exposure becomes direct and personal.
Pathway 3: The Responsible Corporate Officer Doctrine (United States)
Under the Park doctrine (United States v. Park, 421 U.S. 658, 1975), a corporate officer can face criminal liability for regulatory violations even without personal knowledge or participation, provided they held a “responsible relationship” to the violation and failed to prevent it. The only defence: objective impossibility.
The doctrine has been applied in food safety, pharmaceuticals, and environmental cases. Never to a technology company. Senator Ron Wyden proposed legislation in 2019 that would have extended it to tech executives of companies with over $1 billion in revenue. The bill failed. Variations keep resurfacing.
Pathway 4: UK Online Safety Act (United Kingdom)
The most explicit statutory pathway to prison for a tech CEO exists, right now, in British law.
The Online Safety Act 2023, Part 7 (Section 178), provides that where a company commits an offence with the “consent or connivance” of a senior officer, or where the offence is attributable to the officer’s neglect, that officer is personally guilty. A separate amendment creates a specific offence for senior managers who, through consent, connivance, or neglect, allow failure to comply with child safety confirmation decisions. The penalty for that offence: up to two years’ imprisonment.
Ofcom’s infrastructure is now fully operational. Illegal Content Codes of Practice came into force on March 17, 2025. Children’s safety measures became enforceable from July 25, 2025. Enforcement is already underway: as of late 2025, Ofcom had opened 21 investigations covering 69 sites and apps, with fines already reaching over £1 million in individual cases, and the power to impose up to £18 million or 10% of qualifying worldwide revenue.
The jurisdictional catch is obvious. Zuckerberg would need to be physically present in the UK or subject to an extradition request. Commentators have noted, with some irony, that this criminal liability effectively functions as a travel advisory: avoid the United Kingdom.
Pathway 5: French Criminal Law
France is where theory meets practice. Two live precedents now exist.
Pavel Durov was arrested at Le Bourget Airport on August 24, 2024. He faces a twelve-count introductory indictment, including complicity in distributing child sexual abuse material and money laundering. The most serious charge carries ten years’ imprisonment. His bail restrictions were lifted on November 10, 2025, after one year of “impeccable compliance,” but he remains mis en examen (under formal investigation). A trial is expected in 2026.
Then, on February 3, 2026, Paris prosecutors’ cybercrime unit (Section J3/JUNALCO) raided X’s offices and issued a convocation pour audition libre (voluntary interview summons) to Elon Musk and former CEO Linda Yaccarino, in their capacity as “de facto and de jure managers,” for April 20, 2026. Europol confirmed its participation. Seven offences are under investigation, including complicity in CSAM possession, sexual deepfake violations via Grok AI, Holocaust denial, and algorithmic manipulation by an organized group.
The French legal architecture rests on several pillars:
Articles 226-16 to 226-24 of the Code pénal criminalize data protection violations. Maximum penalty for natural persons: five years’ imprisonment and €300,000 in fines; for legal entities, fines are multiplied by five under Article 131-38.
Article 121-2 of the Code pénal establishes the non-exclusion principle: corporate criminal liability does not preclude personal criminal liability for natural persons who authored or were accomplices to the same acts. Company and CEO can be prosecuted simultaneously.
Article 223-1 of the Code pénal covers deliberate endangerment (mise en danger délibérée): one year’s imprisonment and €15,000 fine for the base offence.
Article L.132-2 of the Code de la consommation: deceptive commercial practices carry two years and €300,000 at baseline, escalating to five years and €750,000 when committed via digital means (LOI n° 2024-420 of May 10, 2024).
The CNIL can refer matters for criminal prosecution under Article 40 of the Code de procédure pénale. It has not publicly done so against Meta. But the Durov and Musk cases establish that the cybercrime prosecutors’ unit is perfectly willing to act independently.
If Zuckerberg were to set foot on French soil, the legal basis for his arrest exists in statute.
Pathway 6: Belgian Criminal Law
Belgium reformed its corporate criminal liability framework in 2018, and the change matters here.
The Act of July 11, 2018 (published Moniteur belge July 20, 2018, in force July 30, 2018) abolished the old décumul rule. Previously, courts had to determine which party, company or individual, bore the “most serious fault,” and could only convict that party (with an exception for intentional offences). The new Article 5, paragraph 3, of the Belgian Criminal Code now reads: “La responsabilité pénale des personnes morales n’exclut pas celle des personnes physiques auteurs des mêmes faits ou y ayant participé.” (The criminal liability of legal entities does not preclude that of the natural persons who committed the same acts or participated therein.)
Corporate liability and individual liability coexist. Simultaneously. This mirrors the French non-exclusion principle. A further reform is expected as a new Belgian Criminal Code, approved by Parliament in late 2024, is set to enter into force around 2026.
Belgian data protection criminal provisions are found in Articles 222 to 230 of the Act of July 30, 2018 (the implementing legislation for the GDPR). These apply to data controllers, processors, and persons acting under their authority. Directors fall within this scope. Maximum nominal fines reach €30,000, multiplied by the current eightfold surcharge factor, yielding a de facto maximum of approximately €240,000. Additional sanctions include confiscation of data carriers and court-ordered cessation of processing.
The Belgian Data Protection Authority (APD/GBA) can initiate complaints. Belgium’s judiciary has shown increasing willingness to pursue cross-border technology enforcement.
Pathway 7: EU Digital Services Act and Digital Markets Act
The EU’s regulatory architecture is primarily administrative, but its implications for personal criminal liability run deeper than they appear.
The DSA (Regulation 2022/2065) empowers the Commission to fine platforms up to 6% of total worldwide annual turnover (Article 74). The DMA (Regulation 2022/1925) goes further: 10% for a first infringement, and up to 20% for repeated offences.
The European Commission opened two separate DSA proceedings against Meta in 2024: one on April 30 (deceptive advertising, disinformation, political content) and one on May 16 (protection of minors, addictive algorithmic design, age verification). On October 24, 2025, the Commission issued preliminary findings of non-compliance on three fronts: burdensome researcher data access, dark patterns hindering illegal content reporting on Facebook and Instagram, and inadequate content moderation appeals.
A milestone passed in December 2025: the Commission imposed its first-ever DSA fine, €120 million against X, for deceptive blue-checkmark design, ad transparency failures, and researcher data access barriers.
Member States retain the right to impose criminal sanctions for violations of national implementing legislation. If DSA proceedings establish that Meta knowingly failed to protect children on its platforms, national prosecutors in any EU Member State could use those findings as a factual foundation for criminal proceedings against responsible officers under their domestic law.
The question is which one, in which country, and for what.
Pathway 8: Myanmar, the Rohingya, and International Law
The UN’s 2018 Independent Fact-Finding Mission (A/HRC/39/64) found that Facebook played a “determining role” in violence against the Rohingya. The platform had roughly 20 million users in Myanmar but employed only two Burmese-speaking content reviewers as late as 2015.
Amnesty International’s September 2022 report, The Social Atrocity: Meta and the right to remedy for the Rohingya (ASA 16/5933/2022), concluded that Meta’s algorithms proactively amplified content inciting violence and discrimination. In January 2025, Amnesty filed a SEC whistleblower complaint alleging Meta misrepresented its role in Rohingya atrocities in shareholder filings.
A civil lawsuit in Kenya (jurisdiction affirmed April 3, 2025 by the High Court) targets Meta’s algorithmic amplification of hate speech during the Ethiopian civil war. The amount varies by source: approximately $1.6 to $2.4 billion.
Could the International Criminal Court prosecute Zuckerberg? The Rome Statute requires proof of “intent and knowledge” (Article 30), and ICC jurisdiction extends only to individuals (Article 25(1)), not corporations. The evidentiary bar for proving that a CEO intended to facilitate atrocities through platform inaction is extraordinarily high.
Practically impossible. But the moral and legal record keeps accumulating.
What the Precedents Tell Us
Tech executives have been arrested before. In 2016, Brazilian police detained Meta’s VP Diego Dzodan for refusing to hand over WhatsApp data. In South Korea, Kakao founder Kim Beom-su was arrested in July 2024 for stock manipulation. He was later cleared.
The executives who actually went to prison shared one feature: provable, direct financial fraud. Jeffrey Skilling (Enron), Elizabeth Holmes (Theranos), Sam Bankman-Fried (FTX). They fabricated financials and stole money.
Meta’s alleged harms are different in kind. Privacy violations, addictive design, algorithmic amplification. Devastating, but they do not, as of today, map neatly onto criminal statutes designed for fraud, theft, or direct physical harm.
The Honest Answer
Zuckerberg will almost certainly not go to prison. The structural obstacles remain: jurisdictional barriers, the corporate veil, evidentiary thresholds for personal intent, Section 230 protections in the US, and the basic challenge of criminalizing systemic platform harms.
But “almost certainly not” is not “never.” The gap keeps narrowing.
France has shown it will arrest tech CEOs on its territory and summon them for questioning with Europol support. The UK has enacted a law that explicitly provides for their imprisonment. Belgium and France have abolished the old doctrines that shielded corporate officers from personal prosecution. The FTC’s compliance certifications create direct, personal criminal exposure that runs for another fourteen years. Congressional perjury transcripts do not expire.
The NIS 2 Directive and DORA (enforced since late 2024 and early 2025) now impose personal liability on executives for cybersecurity failures, further expanding the toolkit for individual accountability.
Ten years ago, none of these pathways existed. Five years ago, most were theoretical. Today, two tech CEOs face active criminal investigation in France, the first DSA fine has been imposed, and bellwether trials over adolescent harms are underway.
The legal ground is moving. Not toward Zuckerberg’s cell door. Not yet. But unmistakably in that direction.
The real question is no longer whether a tech CEO will eventually face prison for platform harms. The question is which one, in which country, and for what.
This analysis draws on verified legal sources including: the FTC (2019 Consent Order Fact Sheet); European Commission decisions (IP/24/2373, IP/24/2664); Légifrance (Articles 121-2, 223-1, 226-16 to 226-24 Code pénal; Article L.132-2 Code de la consommation; LOI n° 2024-420 of May 10, 2024); the Belgian Criminal Code (Article 5, as amended by the Act of July 11, 2018, Moniteur belge July 20, 2018); the Belgian Act of July 30, 2018 (Articles 222-230); UK Online Safety Act 2023 (Sections 178, 186); Ofcom enforcement statements; Rome Statute (Articles 25, 30); Amnesty International report ASA 16/5933/2022; UN Fact-Finding Mission report A/HRC/39/64; MDL No. 3047 (N.D. Cal., Case No. 4:22-md-03047-YGR); and contemporaneous reporting from France 24, NBC News, Al Jazeera, AP, and Reuters.
The views expressed are analytical, not advocacy. This is not legal advice.
RELATED
- CRIMINAL CONSEQUENCES for Mark Zuckerberg? – by James M. Walsh, Esq.
- Could Worldwide Regulatory Fines Put Meta Out of Business? – by James M. Walsh, Esq.
- Meta Removes Legitimate Legal Ads from Facebook and Instagram, But Allows Scam Ads to Keep Running! – by James M. Walsh, Esq.
- BREAKING! In the Span of 2 Days, Meta Loses 2 BIG Lawsuits! And Now Thousands More Will Be Filed… – by James M. Walsh Esq.
- Meta Partnered with China to Scam Americans, and Even to Target Our Children – by James M. Walsh, Esq.
Christophe Boeraeve is an attorney at the Brussels Bar (OBFG). He has specialized in tax law, intellectual property, data protection (GDPR), and consumer law. Christophe is also a founding Member @ Law Right, Int Human Rights, Tax, IP & Data Privacy Lawyer, and an Essayist & Novelist.
HAVE A QUESTION ABOUT SELF-PUBLISHING A BOOK?
a self-publishing services company that has been in business since 1998. Ask her anything.
ASK ANGELA!
![](https://writersweekly.com/wp-content/uploads/2026/05/testimonial-rita.jpeg")
![](https://writersweekly.com/wp-content/uploads/2026/05/testimonial-haugh.jpeg")
![](https://writersweekly.com/wp-content/uploads/2026/05/testimonial-theodore.jpeg")
![](https://writersweekly.com/wp-content/uploads/2026/05/testimonial-deitrich.jpeg")
![](https://writersweekly.com/wp-content/uploads/2026/05/testimonial-jelloul.jpeg")