Meta, the company which owns Facebook, has been fined €1.2 billion and has been ordered to suspend transfers of data from Facebook users in the Europe to the US.
The fine, issued by the Irish Data Protection Commissioner, is the largest imposed by the European Union for breaching data protection regulations.
The decision is expected to have wider ramifications for companies that share data between Europe and the US which now face regulatory uncertainty.
The Data Protection Commission (DPC) found that Meta Ireland continued to breach the General Data Protection Regulation by failing to comply with a ruling by the European Court of Justice in 2020 that required additional privacy protections for data transferred from Europe to the US.
The DPC found that Meta Ireland’s use of Standard Contractual Clauses (SCCs) – a EU approved legal mechanism for transferring data to the US – together with supplementary measures, did not address “the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”
Under the decision, Meta Ireland is required to suspend any future transfers of data to the US within five months.
It has been given six months to bring its processing operations into compliance with the General Data Protection Regulation (GDPR), by ceasing unlawful processing and storage of EU personal data in the US transferred in violation of GDPR.
Meta claims ‘dangerous precedent’
Meta said that it will appeal the ruling, including the “unjustified and unnecessary fine”, and will seek a stay of the orders through the courts.
Writing in a blog post, President, Global Affairs at Meta, Nick Clegg, and Chief Legal Officer Jennifer Newstead, said that the decision would create a dangerous precedent for other companies transferring data between the EU and the US.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” they said.
The DPC found that Meta was in breach of a ruling by the European Court of Justice in 2020, which struck down the US-EU data sharing agreement between the US and Europe, Privacy Shield.
The 2020 decision introduced tougher requirements for companies using Standard Contractual Clauses as a legal basis to transfer data to the US.
The court found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries, as they would receive in the EU under GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.
Standard Contractual Clauses
The case will have a knock-on impact for companies that rely on EU Standard Contractual Clauses as a legal mechanism to transfer data from the EU to the US.
It is also likely to put pressure on the EU and the US to finalise a new deal on data protection adequacy, known as the Trans-Atlantic Data Privacy Framework.
“The DPC’s ruling that the standard contractual clauses are not a valid mechanism to transfer personal data to the US will have a significant impact on the ability of organisations of all shapes and sizes to lawfully share and receive data from Europe,” said lawyer Edward Machin, at law firm Ropes & Gray’s.
“It will also kick off a race against time for lawmakers to finalise the EU-US data transfer framework before the end of the six-month transition period that the DPC has given Meta to bring its transfers into compliance,” he added.
Ten year legal battle
The decision is the latest in a ten year legal battle between Austrian lawyer Max Schrems and Meta.
At its root is the discrepancy between EU Privacy laws and US surveillance laws, including the Foreign Intelligence Surveillance Act (FISA), which give US intelligence agencies sweeping powers to harvest the personal data and communications of non-US citizens.
Schrems said in a statement that US surveillance laws, including FISA 702, which permits targeting of non-US citizens outside the US, is also a problem for all other large US cloud providers, such as Microsoft, Google or Amazon.
“Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” he said.
“There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance. It is time to grant these basic protections to EU customers of US cloud providers,” he added.
Future of EU-US data protection
The Trans-Atlantic Data Privacy Framework is expected to come into force in the Summer, but is widely expected to face further legal challenges.
A legal challenge could result in the new framework being over-turned by the European Court, which has previously annulled its predecessor Privacy Shield in 2020 and Safe Harbor in 2015.
Eddie Powell, data protection partner at London law firm Fladgate said that the size of Meta’s fine reflected the fact that Meta’s systems were structured so that the data collected on its social media platforms had to be sent to the USA “without any kind of firebreak”.
But he said it that the fine, equivalent to about 1% of Meta’s worldwide turnover, could have been significantly higher, up to a maximum of 4% of Meta’s worldwide turnover.
Meta: ‘serious questions’
Clegg and Newstead said in their blogpost that the DPC “initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate” but have been over-ruled by the European Data Protection Board,
They argued that the EDPB, the independent European data protection regulator, had chosen to disregard the progress that policy makers were making to resolve the “fundamental conflict” between US government access to European data and the privacy rights of Europeans.
The decision “raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard,” they said.