Irelands privacy watchdog has hit Meta with a record-breaking privacy fine of 1.2 billion ($1.3 billion) over the tech giants illegal transfers of European users personal data to the United Statesand perhaps more importantly, has ordered the company to stop sending any more of that information across the Atlantic.
The ban, which Meta has previously warned could lead it to pull Facebook and Instagram out of the European Union, will take effect in mid-October.
As a result, Meta will have to significantly change how it runs its businessunless the EU and U.S. can seal the deal on a controversial new data-sharing agreement that would give it a legal basis for its transfers.
The Irish Data Protection Commission originally didnt want to levy any fine against Metauntil the European Data Protection Board (EDPB), which comprises all the EUs privacy regulators, overruled it.
The EDPB found that [Metas] infringement is very serious since it concerns transfers that are systematic, repetitive and continuous, said EDPB Chair Andrea Jelinek. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.
We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day, wrote Nick Clegg and Jennifer Newstead, Metas global affairs president and chief legal officer respectively, in a blog post.
Everybodys problem
As what Meta was doing was business as usual for U.S. Big Techserving European users and transferring their data into Stateside data centersthe Irish Data Protection Commissioners heavily-anticipated decision will also send chills down the spines of many other U.S. corporations that have the same fundamental problem: U.S. intelligence agencies have largely free rein to collect the personal data of non-Americans from U.S. servers, and theres nothing those foreigners can do about it.
This is the issue at the heart of an extraordinary chain of events set in motion a decade ago by Max Schrems, a then-student lawyer from Austria who saw the 2013 revelations of National Security Agency whistleblower Edward Snowden about U.S. surveillance programs, and challenged Facebooks data transfers to the U.S. on the grounds that the company couldnt guarantee the privacy rights of users from the European Union.
Irelands privacy watchdog initially repelled his complaint, pointing out that the EU had a data-sharing agreement with the U.S., called Safe Harbour, that supposedly made the transfers legal. But Schrems pushed back, and in 2015 the EUs highest courtthe Court of Justicestruck down that agreement because it didnt protect EU users privacy rights. The European Commission then agreed a replacement deal with the U.S., called Privacy Shield, but the Court struck that one down too, in 2020.
The 2020 ruling also fatally undermined Facebooks backup plan for keeping its trans-Atlantic transfers legal: a mechanism called standard contractual clauses, which ultimately had the same problem of failing to protect Europeans data in the U.S. So Meta, as the company renamed itself in 2021, was left without any legal basis for its transferswhich is what led to the decision published Monday.
We are happy to see this decision after ten years of litigation, said Schrems. The fine could have been much higher, given that the maximum fine [under the EUs General Data Protection Regulation or GDPR] is more than 4 billion and Meta has knowingly broken the law to make a profit for 10 years. Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems.
Whats the deal
Everything now comes down to that new data-sharing deal between the U.S. and EU, which is called the Data Privacy Framework.
The White House and the European Commission came to a political agreement on the DPF last year, highlighting amendments to U.S. surveillance practices that were outlined in an October executive order by U.S. President Joe Biden. However, while the European Commission has every political motivation to approve the DPF itself, it first asked the European Parliament and the EDPB for their opinionsand the results were not promising.
The Parliaments civil liberties committee said the agreement was too vague and would still allow U.S. agencies to conduct mass surveillance on Europeans personal data. It also said the new Data Protection Review Court, which the U.S. would establish under the deal to give Europeans a way to complain about the surveillance of their data, wouldnt be independent from the White House. The EDPB welcomed the DPFs principles, but also warned that the deal lacked clarity about safeguards.
Its now up to the EUs national governments to approve the deal.
Todays legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU Member States. We call on the 27 EU national governments to approve the Commissions adequacy decision without delay, said Alexandre Roure, public policy director at the tech industry lobbying organization CCIA Europe.
Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix, said Schrems. In my view, the new deal has maybe a 10% chance of not being killed by the [Court of Justice]. Unless U.S. surveillance laws gets fixed, Meta will likely have to keep EU data in the EU.
