Europes GDPR has just delivered its biggest hammer blow yet. Almost exactly five years after the continent’s strict data regulations went into effect, Meta has been hit with a whopping €1.2 billion ($1.3 billion) fine for sending data on hundreds of millions of Europeans to the United States, where weaker privacy rules opening up to snooping in the US
The Irish Data Protection Commission (DPC), the leading regulator for Meta in Europe, has imposed the fine after years of disagreement over how data is transferred across the Atlantic. The decision says that a complex legal mechanism used by thousands of companies to transfer data between regions was not lawful.
The fine is the largest GDPR fine ever imposed, surpassing Amazon’s $833 million fine in Luxembourg. It brings the total amount of fines under the legislation to around €4 billion. However, it’s a small change for Meta, which made $28 billion in the first three months of this year.
In addition to the fine, the DPC ruling gives Meta five months to stop sending data from Europe to the US and six months to stop processing previously collected data, which could mean photos, videos and Facebook messages will be deleted or moved back to Europe. The decision is likely to highlight other GDPR powers that could impact how companies handle data and arguably get to the heart of Big Tech surveillance capitalism.
Meta says it is “disappointed” by the decision and will appeal. The decision is also likely to put additional pressure on US and European negotiators who are scrambling to finalize a long-awaited new data-sharing agreement between the two regions. A draft decision was agreed at the end of 2022 and a possible deal will be finalized later this year.
“The entire commercial and trade relationship between the EU and the US, supported by data exchanges, could be affected,” said Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a non-profit think tank. “While this decision is directed at Meta, it concerns facts and situations that are identical for all U.S. companies doing business in Europe that offer online services, from payments to cloud, to social media, to electronic communications, or software used in schools and public administrations.”
‘bittersweet decision’
The fine of one billion euros against Meta has a long history. It dates back to 2013, long before GDPR came into effect, when lawyer and privacy activist Max Schrems complained about the ability of US intelligence agencies to access data following Edward Snowden’s revelations about the National Security Agency (NSA). Since then, Europe’s highest courts have twice struck down data-sharing systems between the US and the EU. The second of these rulings, in 2020, made the Privacy Shield agreement ineffective and also tightened the rules around “Standard Contractual Clauses (SSCs)”.
The use of SCCs, a legal mechanism for transferring data, is at the heart of the Meta case. In 2020, Schrems complained about Meta using it to send data to the US. Today’s Irish decision, which is supported by other European regulators, found that Meta’s use of the legal tool “did not address risks to the fundamental rights and freedoms of data subjects.” In short, they were illegal.