top of page

Meta: caught up in EU / USA bureaucratic fight

The historic privacy fine is there. Let us remind, that the previous record was the Luxembourg's $833 million fine against Amazon. It brings the total amount of fines under the legislation to around €4 billion.

Meta has been fined a record-breaking €1.2 billion ($1.3 billion) by European Union regulators for violating EU privacy laws by transferring the personal data of Facebook users to servers in the United States. This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020,” the statement said. Well, shall we note that this fine isn’t that huge for Meta: in 2022, Meta had a pre-tax profit of $28.2 billion, or about $77.2 million per calendar day. So the $1.3 billion fine (pre-tax) would amount to about 17 calendar days of pretax income.

In addition to the fine, the DPC’s ruling gave Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe.

The decision was the result of an inquiry into Facebook by the Irish Data Protection Commission, the regulator overseeing Meta’s operations in Europe. Ireland is where the European headquarters of Meta, Apple, Twitter, and Google are located thanks to the special tax treatment Ireland has used to lure them there, including a low corporate income tax of 12.5%.

Irish watchdog issued the fine after years of dispute about how data is transferred across the Atlantic. The decision says a complex legal mechanism, used by thousands of businesses for transferring data between the regions, was not lawful.

This situation is about the unresolved tensions between Europe and the United States over data privacy, government surveillance and regulation of internet platforms.

The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences,” the statement said.


History and background

This fine against Meta has long history.

Legal background: US / EU transfer regulation

Due to big amounts of data transfer carried between USA and UK Safe Harbour mechanism was developed. Safe Harbor was self-regulatory framework that allowed organisations to satisfy the requirements of EU Data Protection Law. 26 July 2000 EU Commission issued the adequacy decision for the Safe Harbor. Safe Harbour was massively criticised, because of its self-certification nature non-EU style of provisions.

In 2013, lawyer and privacy activist Max Schrems complained about US intelligence agencies’ ability to access data following the Edward Snowden revelations about the National Security Agency (NSA).

The case challenged the Irish DPC’s refusal to investigate a complaint by Max Schrems asking the DPC to suspend data transfers from Facebook Ireland to Facebook Inc. due to Mr. Schrems’ concern that the Snowden revelations suggested his personal data could be accessed by U.S. intelligence authorities and that his EU data protection rights would be violated. At the time, Facebook relied on the U.S.-EU Safe Harbor Framework as the legal basis for personal data transfers under the EU Data Protection Directive. The Irish High Court referred the case to the CJEU. In 2015, the CJEU ruled that the European Commission’s adequacy determination for the U.S.-EU Safe Harbor Framework was invalid.

On 29 of February 2016 Commission released the draft EU-U.S. Privacy Shield. On 12 July 2016 EU-U.S. Privacy Shield became “adequate”.

On 16 July 2020, the Court of Justice of the European Union (ECJ) in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”) invalidated the EU-US Privacy Shield. The Court cast doubt over the extent transfers can be legitimised by the European Commission’s Standard Contractual Clauses (SCC) for personal data transfers to the US and globally. The SCCs were still valid as a transfer mechanism in principle but would require additional work. In 2020, the Court of Justice of the European Union struck down a previous agreement for data sharing, called the EU-U.S. Privacy Shield, following the Schrems II court ruling that took issue with the way the U.S. government was handling EU personal data. Removal of the EU-U.S. Privacy Shield framework left companies in legal limbo when it came to the exchange of data between the EU and U.S. Companies risked noncompliance with the EU's General Data Protection Regulation without the legal data sharing framework, which was necessary because the U.S. has no data privacy law protecting EU data.

U.S. President Joe Biden and European Commission President Ursula von der Leyen reached an agreement in March 2022 on a new data sharing framework called the EU-U.S. Data Privacy Framework, which restored the legal safeguards for transatlantic data flows. However, the EU must still adopt and implement the new data sharing framework.However, the EU's European Parliament and EDPB have negative opinions on the framework, said Forrester analyst Enza Iannopollo. Even if the EU moves forward with the new EU-U.S. Data Privacy Framework, she said it would only be another temporary fix to long-standing data privacy issues.

"The need to facilitate compliance with the international data transfer requirements is well understood," Iannopollo said. "However, [this] decision shows that there are situations that create very high risk and European data protection authorities will continue to look into these cases, regardless of any frameworks."

Right now USA isn’t adequate jurisdiction.

Meta case

The enquiry into Meta Ireland was launched in August 2020 but rests on a much lengthier history of questions over the legality of the company’s US-EU data transfers.

A draft decision was completed in July last year, finding that the company’s data transfers were in breach of the EU’s GDPR and mandating their immediate suspension.

The case also concluded that data transfers based on Standard Contract Clauses must be found to include safeguards providing data subjects with protections essentially equivalent to those guaranteed by the GDPR and the EU’s Charter of Fundamental Rights.

The draft decision was subsequently submitted to the European Data Protection Board, which gathers all European data protection authorities. All authorities agreed with the Irish regulator’s proposal to order a suspension of data transfers.

However, four authorities raised objections over the DPC’s proposed corrective powers, arguing that Meta should be hit with a fine over the infringement. Two of the four also called for action to address personal data that had already been unlawfully transferred to the US since July 2020.

The DPC pushed back against this argument, and the issue was referred to the Board’s dispute resolution mechanism, under which a binding decision was issued last month.

As a result, an administrative fine of €1.2 billion has been levied against the tech giant, the largest ever for a GDPR violation, surpassing the previous record set against Amazon with €746 million.


What’s next?

Meta has already made a statement. On Monday it was declared that company would appeal the ruling, including the fine. In a response to the DPC's final decision, Meta said it was following the same rules as all the other US companies doing business in the EU and was "disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe."

Despite what the DPC said was its legal obligations to confer with the EDPB, Meta called the Board's move a "disregard [for] the clear progress that policymakers are making to resolve this underlying issue," referring to ongoing discussions about the EU-US Data Protection Framework (DPF), another attempt at a shared transatlantic definition of data protection adequacy between the two governments.

Meta statemed, that the ability for data to be transferred across borders is fundamental to how the global open internet works.

Thousands of businesses and other organizations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day. And the absence of the adequacy decision of USA creates dilemma for businesses: either to take a risk and to hope that regulators won’t notice them, or to put huge efforts into the compliance of transfers to USA. At some point, to comply with the Chapter of GDPR on International Transfers means losing time and money.

Moreover, there is a chance of the business abuse using data privacy, however, that is the story for another day.

44 views0 comments


bottom of page