Meta, formerly known as Facebook, has received a formal suspension order from the European Data Protection Board (EDPB) instructing it to cease exporting European Union user data to the United States for processing. The EDPB has imposed a fine of €1.2 billion (approximately $1.3 billion) on Meta, marking the highest penalty ever imposed under the General Data Protection Regulation (GDPR) in the European Union. This surpasses the previous record held by Amazon, which was fined $887 million in 2021 for the improper use of customer data in targeted advertising.
You can also read: Tradition vs New values: What does the global stats say?
The sanction against Meta is a result of the company’s violation of conditions outlined in the EU’s regulation governing the transfer of personal data to third countries, such as the United States, without ensuring sufficient safeguards for individuals’ information. European courts have previously determined that U.S. surveillance practices conflict with privacy rights in the EU.
What actually happened?
In a press release, Andrea Jelinek, Chair of the EDPB, emphasised the seriousness of Meta Ireland’s infringement, noting that the transfers in question were systematic, repetitive, and continuous. With millions of users in Europe, Facebook’s transfer of personal data on such a massive scale has warranted this unprecedented fine, serving as a clear warning to organisations that severe infringements carry significant consequences.
As of now, the Irish Data Protection Commission (DPC), responsible for enforcing the EDPB’s binding decision, has not provided any comments on the matter. However, Meta promptly released a blog post responding to the suspension order, indicating its intention to appeal the fine, which it deems “unjustified and unnecessary.” The company sought to attribute the issue to a conflict between EU and U.S. law rather than its own privacy practices. Nick Clegg, President of Global Affairs, and Jennifer Newstead, Chief Legal Officer, authored the blog post and mentioned that they would appeal the decision and request a stay from the courts to halt the implementation deadlines, citing the potential harm to the millions of daily Facebook users.
Meta, earlier this year, issued a warning to investors regarding the potential impact of an EU data flows suspension on its global ad revenue. According to Meta, approximately 10% of its worldwide ad revenue would be jeopardized in such a scenario. When questioned about preparations for a possible suspension prior to the decision, Meta spokesperson Matthew Pollard declined to provide further guidance and referred back to a previous statement in which the company stated that the case pertained to a “historic conflict of EU and US law.” Meta suggested that EU and U.S. lawmakers are actively working on a new transatlantic data transfer agreement to address this conflict, although the revised framework has not yet been adopted.
Future of Facebook in Europe
Meta has been given five months to suspend any future transfer of personal data to the U.S. and six months to cease the unlawful processing and storage of European user data that has been previously transferred without a valid legal basis.
Meta has expressed its intention to appeal the decision and is likely seeking to delay implementation while it presents its arguments in court. Schrems has previously suggested that Meta will ultimately need to federate Facebook’s infrastructure to offer a service to European users without the need to export their data to the U.S. for processing. However, in the short term, Meta may be able to avoid suspending EU-U.S. data flows due to the transition period provided in the decision. This timeframe should provide enough time for the adoption of a new transatlantic data transfer agreement.
Reports indicate that the European Commission could adopt the new EU-U.S. data deal in July, although an exact date has not been provided due to the involvement of multiple stakeholders in the process. If the agreement is adopted, Meta would have a new solution to circumvent the suspension of its services in the EU. However, legal challenges to the new transatlantic data transfer deal are expected, and Schrems has expressed doubts about its survival after legal review.
This ruling is the culmination of a decade-long battle that began when Austrian privacy campaigner Max Schrems challenged Facebook’s failure to protect privacy rights. This legal battle has revolved around the legality of transferring EU data to the US. The European Court of Justice (ECJ) has repeatedly stated that the US lacks sufficient safeguards to protect Europeans’ data, and in 2020, the ECJ invalidated an EU-to-US data transfer agreement. However, the court allowed for the use of SCCs as long as they ensure an “adequate level of data protection.” Meta has been found to have failed this requirement.
Legal complexity complicates future of user data transfer
Meta and other U.S. tech giants that rely on data export for processing may find themselves trapped in a cycle of challenges and suspension if the new mechanism faces legal scrutiny. Schrems believes that unless U.S. surveillance laws are reformed, Meta will likely need to store EU data within the EU.
Another question arises regarding whether Meta will be required to delete historical data transfers that lacked a legal basis. It is logical for any new transatlantic mechanism to apply only to future data flows, not past exports. This could pose an ongoing challenge for Meta, as leaked internal documents have indicated a lack of proper controls over internal ad data flows, potentially making the selective deletion of Europeans’ data an expensive issue for the company.
Meta claims that the DPC confirmed, in its decision, that the company will not be required to delete EU data subjects’ data once the underlying conflict of law has been resolved. However, when asked about this, the DPC stated that it does not know without directly asking Meta and referred to the requirement of bringing processing into compliance rather than deletion in its decision.
During a press conference, a Commission spokesman noted that the decision implements the European community’s commitment to data protection, based on the decision of the European Data Protection Board. The spokesman mentioned that the Irish authority has indicated that Meta must solve the problem concerning data transfers. Regarding EU-U.S. data transfers in general, the spokesman discussed on-going efforts to adopt a replacement transatlantic data adequacy deal, which is expected to be fully functional by the summer. The Commission aims to provide stability, legal certainty, and strict protection of citizens’ privacy. However, the spokesman declined to answer whether the future U.S. adequacy framework, once adopted by Meta, would apply retroactively to legalise unlawfully transferred user data, citing the complexity of the legal question.