Ireland’s privacy watchdog has hit Meta with a record-breaking privacy fine of €1.2 billion ($1.3 billion) over the tech giant’s illegal transfers of European users’ personal data to the United States—and perhaps more importantly, has ordered the company to stop sending any more of that information across the Atlantic.
The ban, which Meta has previously warned could lead it to pull Facebook and Instagram out of the European Union, will take effect in mid-October.
As a result, Meta will have to significantly change how it runs its business—unless the EU and U.S. can seal the deal on a controversial new data-sharing agreement that would give it a legal basis for its transfers.
The Irish Data Protection Commission originally didn’t want to levy any fine against Meta—until the European Data Protection Board (EDPB), which comprises all the EU’s privacy regulators, overruled it.
“The EDPB found that [Meta’s] infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said EDPB Chair Andrea Jelinek. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” wrote Nick Clegg and Jennifer Newstead, Meta’s global affairs president and chief legal officer respectively, in a blog post.
Everybody's problem
As what Meta was doing was business as usual for U.S. Big Tech—serving European users and transferring their data into Stateside data centers—the Irish Data Protection Commissioner’s heavily-anticipated decision will also send chills down the spines of many other U.S. corporations that have the same fundamental problem: U.S. intelligence agencies have largely free rein to collect the personal data of non-Americans from U.S. servers, and there’s nothing those foreigners can do about it.
This is the issue at the heart of an extraordinary chain of events set in motion a decade ago by Max Schrems, a then-student lawyer from Austria who saw the 2013 revelations of National Security Agency whistleblower Edward Snowden about U.S. surveillance programs, and challenged Facebook’s data transfers to the U.S. on the grounds that the company couldn’t guarantee the privacy rights of users from the European Union.
Ireland’s privacy watchdog initially repelled his complaint, pointing out that the EU had a data-sharing agreement with the U.S., called Safe Harbour, that supposedly made the transfers legal. But Schrems pushed back, and in 2015 the EU’s highest court—the Court of Justice—struck down that agreement because it didn’t protect EU users’ privacy rights. The European Commission then agreed a replacement deal with the U.S., called Privacy Shield, but the Court struck that one down too, in 2020.
The 2020 ruling also fatally undermined Facebook’s backup plan for keeping its trans-Atlantic transfers legal: a mechanism called “standard contractual clauses”, which ultimately had the same problem of failing to protect Europeans’ data in the U.S. So Meta, as the company renamed itself in 2021, was left without any legal basis for its transfers—which is what led to the decision published Monday.
"We are happy to see this decision after ten years of litigation,” said Schrems. “The fine could have been much higher, given that the maximum fine [under the EU’s General Data Protection Regulation or GDPR] is more than €4 billion and Meta has knowingly broken the law to make a profit for 10 years. Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems."
What's the deal
Everything now comes down to that new data-sharing deal between the U.S. and EU, which is called the Data Privacy Framework.
The White House and the European Commission came to a political agreement on the DPF last year, highlighting amendments to U.S. surveillance practices that were outlined in an October executive order by U.S. President Joe Biden. However, while the European Commission has every political motivation to approve the DPF itself, it first asked the European Parliament and the EDPB for their opinions—and the results were not promising.
The Parliament’s civil liberties committee said the agreement was too vague and would still allow U.S. agencies to conduct mass surveillance on Europeans’ personal data. It also said the new Data Protection Review Court, which the U.S. would establish under the deal to give Europeans a way to complain about the surveillance of their data, wouldn’t be independent from the White House. The EDPB welcomed the DPF’s principles, but also warned that the deal lacked clarity about safeguards.
It's now up to the EU’s national governments to approve the deal.
“Today’s legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU Member States. We call on the 27 EU national governments to approve the Commission’s adequacy decision without delay,” said Alexandre Roure, public policy director at the tech industry lobbying organization CCIA Europe.
"Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix,” said Schrems. “In my view, the new deal has maybe a 10% chance of not being killed by the [Court of Justice]. Unless U.S. surveillance laws gets fixed, Meta will likely have to keep EU data in the EU."