Finally, Meta, previously Facebook, has been ordered to stop exporting EU user data to the US for processing. The European Data Protection Board (EDPB) fined Meta €1.2 billion (nearly $1.3BN) today, the biggest GDPR fine ever. In addition, Amazon was fined $887M in 2021 for exploiting customer data for advertising.
Meta was fined for violating the pan-EU rule on data transfers to third countries (the US) without proper protections. US monitoring violates EU privacy rights, according to EU judges.
Andrea Jelinek, EDPB chair, stated:
The EDPB deemed Meta IE’s [Ireland’s] systematic, repetitive, and continuing transfers severe. Facebook transfers large amounts of personal data from millions of European users. Organizations should take note of the unusual fine.
The Irish Data Protection Commission (DPC), which implements the EDPB’s binding ruling, had not written. However, its ultimate Decision is here.
Meta promptly posted on its blog that it would challenge the suspension ruling, calling the fee “unjustified and unnecessary.” Nick Clegg, president of global affairs, and Jennifer Newstead, chief legal officer, wrote:
Given the harm these orders will cause, particularly to the millions of users who use Facebook daily, we are appealing these rulings. We will immediately seek a stay with the courts to stop the implementation dates.
The tech giant told investors in April that an EU data flows ban would threaten 10% of its global ad revenue.
Meta spokesman Matthew Pollard declined to provide “extra guidance” on its suspension preparations before the Decision. Instead, he pointed to an earlier statement in which the firm said the matter involves a “historic conflict of EU and US law” that EU and US politicians working on a new transatlantic data transmission framework are resolving. Pollard’s restarted transatlantic data framework is still unimplemented.
In its conclusion, the DPC writes:
“This Decision will bind Meta Ireland only. It is clear, however, that the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA”.
So the pressure will likely be amplified on lawmakers on both sides of the Atlantic to get the issue.
Max Schrems, a vocal critic of Meta’s lead data protection regulator in the EU, filed a complaint against Facebook’s Irish subsidiary almost a decade ago, accusing the Irish privacy regulator of taking an intentionally long and winding path to frustrate effective enforcement of the bloc’s rulebook. Schrems claims that only the US can fix the EU-US data flow doom loop by reforming its surveillance methods.
“We are happy to see this decision after ten years of litigation,” he stated of today’s order through his privacy rights non-profit, noyb. Meta intentionally broke the law for ten years. Thus the fine might have been considerably greater. Instead, meta must substantially rebuild its infrastructure until the US spying laws are fixed.”
The DPC, which oversees GDPR compliance for multiple tech giants with regional headquarters in Ireland, rejects criticism of its slow processes enforcement, arguing that they are necessary to perform due diligence on complex cross-border cases. It also blames other supervisors that oppose its draft rulings for delays.
However, DPC draft decisions against Big Tech have resulted in tighter enforcement under the GDPR’s cooperation mechanism, as in Meta and Twitter’s cases.
This shows that the Irish regulator consistently under-enforces the GDPR on the most powerful digital platforms, which delays enforcement and makes the legislation less efficient. In the Facebook data flows case, the DPC’s draft judgment was objected to last August. Therefore it took nine months to get a final decision and suspension order. If you drag out enforcement long enough, the political goalposts may move enough to avoid enforcement. While advantageous for data-mining tech companies like Meta, it violates citizens’ rights.
As noted above, the DPC is implementing a binding decision taken by the EDPB last month to settle an ongoing disagreement over Ireland’s draft decision, so much of what’s being ordered on Meta today comes from the bloc’s supervisor body for privacy regulators. The Board asked the DPC to include a financial penalty in its proposal, writing:
The EDPB calculated the fine starting at 20% to 100% of the legal maximum due to the nature of the offense. The EDPB also ordered the IE DPA to order Meta IE to comply with Chapter V GDPR by ceasing the unlawful processing, including storage, of European users’ data in the U.S. within six months of the IE SA’s final Decision.
Meta can be fined 4% of its global yearly turnover under the GDPR. It may have been penalized almost $4BN considering its full-year turnover last year was $116.61BN. The Irish regulator fined Meta less than it could have but still more than it wanted.
Today, Schrems again accused the DPC of undermining GDPR enforcement. We sued the Irish DPC for ten years to attain this result. Three DPC procedures endangered millions in procedural expenditures. The Irish regulator tried everything to avoid this ruling but was repeatedly overruled by European Courts and institutions. “It’s absurd that Ireland, the EU Member State that did everything to avoid this fine, will get the record fine,” he remarked.
Facebook’s European future? Nothing instantly. The service will continue to work for six months before data transfers are suspended. Meta has five months to stop transferring personal data to the US and six months to stop unlawfully processing and storing European user data it sent without a legal basis. Meta also plans to appeal and request a stay.
Schrems has stated that Facebook will need to federate its infrastructure to provide a service to European users without exporting their data to the US. However, the transition period in today’s ruling should give Meta ample time to accept the transatlantic data transfer accord, allowing it to avoid suspending EU-US data flows.
The European Commission has rejected to give a deadline for adopting the new EU-US data deal, citing many stakeholders. However, previous reports have suggested July.
Meta receives a new escape hatch to avoid suspending Facebook’s service in the EU and can keep using this high-level method as long as it exists.
If that’s how the next chapter of this torturous complaint saga plays out, a case against Facebook’s illegal data transfers that dates back almost ten years will again be left twisting in the wind, raising questions about whether Europeans can exercise GDPR legal rights. (And whether deep-pocketed internet giants with well-paid lawyers and lobbyists can be governed?)
Schrems gives the EU-US data-sharing treaty a little chance of surviving legal challenges. Meta and other US companies that transfer data for processing overseas may soon be back in this deadly loop. Schrems said Meta plans to use the new contract for transfers in the future, but it may not be permanent. The new deal has a 10% chance of surviving the CJEU. However, Meta may have to keep EU data in the EU unless US spying regulations change.
Meta may also have to remove prior data transfers since they had no legal basis for them. Any new transatlantic system should only cover future data transfers, not previous exports. Meta may have ongoing issues. The tech giant may have trouble complying with an order to selectively delete Europeans’ data due to leaks of internal papers.
Meta claims in its blog post that the DPC confirmed “in its decision” that Meta will not be forced to delete EU data subjects’ data “once the underlying conflict of law has been resolved.” Meta alerted us to the following passage of the judgment (highlighting the bold text) when it uses data deletion as an example:
Accordingly, and as directed by the EDPB further to the Article 65 Decision, I have included, in Section 10, below, an order requiring Meta Ireland to bring processing operations into compliance with Chapter V GDPR by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR within six months of this Decision being notified to Meta Ireland (“the Cessation Order”).
In this regard, neither the CSAs nor the EDPB disagreed with my view, set out in paragraph 9.46 above, that “new measures, not currently in operation, may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies identified herein.” In the Draft Decision, the DPC advocated a suspension order, which is reflected in Section 10 below.
That perspective applies equally to the Cessation Order. For clarity and legal certainty, the orders specified in Section 10 below will remain effective until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by new measures, such as the possible future adoption of a relevant adequacy decision by the European Commission under Article 45 GDPR.
We asked the DPC if it had assured Meta of historical data destruction. Graham Doyle, the deputy commissioner, advised asking Meta. “My understanding is that the EDPB and DPC decisions don’t reference deletion. They reference bringing processing into compliance—maybe that’s what Meta is referring to, but I don’t know without asking them,” he said without directly responding.
Helen Dixon, the DPC’s data protection commissioner, said that “bulk return and/or deletion of all transferred data from an identified point in time would be excessive” in her draft complaint decision.