Ireland’s privacy watchdog has hit Meta with a record-breaking privacy fine of €1.2 billion ($1.3 billion) over illegal transfers of European users’ personal data to the United States by the tech giant – and perhaps more importantly, The company has been ordered to stop sending. Anyone else with that information across the Atlantic.
The ban, which Meta previously warned could drag Facebook and Instagram out of the European Union, will take effect in mid-October.
As a result, Meta will have to significantly change how it runs its business – unless the EU and the US can seal the deal on a controversial new data-sharing agreement that would give it a legal basis for its transfers.
The Irish Data Protection Commission originally didn’t want to impose any fines against Meta – until the European Data Protection Board (EDPB), which comprises all EU privacy regulators, overruled it.
“EDPB found [Meta’s] The breach is very serious because it relates to transfers that are systematic, repetitive and continuous,” said EDPB President Andrea Jellinek. “Facebook has millions of users in Europe, so the amount of personal data transferred is enormous . The unprecedented fines are a strong signal to organizations that serious breaches have far-reaching consequences.
Nick Clegg and Jennifer Newsted wrote, “We are appealing these decisions and will immediately seek a stay with the courts, which could block the implementation deadline, given the harm these orders have caused to millions of people.” who use Facebook every day. , Meta’s president of global affairs and chief legal officer, respectively, in a blog post.
As Meta was conducting business as usual for US Big Tech – serving European users and moving their data to stateside data centers – the highly anticipated decision from the Irish Data Protection Commissioner will also send chills down the spines of many other US corporations whose It has the same fundamental problem: US intelligence agencies have largely free rein to collect personal data of non-Americans from US servers, and there’s nothing foreigners can do about it.
The issue is at the center of an extraordinary chain of events set in motion a decade ago by Max Schrems, a then-student lawyer in Austria who watched National Security Agency whistleblower Edward Snowden’s 2013 revelations about US surveillance programs and challenged Facebook. . Data transfers to the US on the basis that the company cannot guarantee the privacy rights of EU users.
Ireland’s privacy watchdog initially shrugged off their complaint, pointing out that the EU had a data-sharing agreement with the US, called the Safe Harbour, which allegedly made the transfer legal. But Schrems pushed back, and in 2015 the EU’s highest court—the Court of Justice—struck down that agreement because it didn’t protect the privacy rights of EU users. The European Commission then agreed a replacement agreement with the US, called the Privacy Shield, but the Court struck down that too in 2020.
The 2020 ruling also undermined Facebook’s backup plan to keep its trans-Atlantic transfers legal: a mechanism called “standard contractual clauses” that ultimately failed to protect Europeans’ data in the US meta-analysis. The only problem was, as the company changed. In 2021 itself, it was left without any legal basis for its transfers – which led to the decision published on Monday.
“We are pleased to see this decision after ten years of litigation,” Schrems said. “The penalty could have been much higher, given that the maximum penalty [under the EU’s General Data Protection Regulation or GDPR] is over €4 billion and Meta knowingly broke the law to make a profit for 10 years. Until US surveillance laws are settled, Meta will have to radically reorganize its systems.”
What is the matter?
Now everything comes down to that new data-sharing deal between the US and the EU, called the Data Privacy Framework.
The White House and the European Commission reached a political agreement last year on the DPF, highlighting modifications to US surveillance practices that were outlined in an October executive order by US President Joe Biden. However, while the European Commission has every political motivation to approve the DPF, it first asked the European Parliament and the EDPB for their opinion—and the results were not promising.
Parliament’s civil liberties committee said the agreement was too vague and would still allow US agencies to conduct mass surveillance on Europeans’ personal data. It also said the new Data Protection Review Court, which the US will set up as part of the deal to give Europeans a way to complain about surveillance of their data, will not be independent of the White House. The EDPB welcomed the principles of the DPF, but also warned that the deal lacked clarity about safeguards.
It is now up to EU national governments to approve the deal.
“Today’s legal uncertainty will remain in place until this new data transfer mechanism is formally approved by EU member states. We call on the 27 EU national governments to ratify the Commission’s adequacy decision without further delay,” said Alexandre Roure, public policy director at tech industry lobbying organization CCIA Europe.
“Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent solution,” Schrems said. “In my view, there is probably a 10% chance in the new deal that he will not be killed [Court of Justice], Until US surveillance laws are settled, Meta will likely keep EU data in the EU.