Europe’s GDPR has just dealt its biggest hammer blow yet. Almost exactly five years since the continent’s strict data rules came into force, Meta has been hit with a colossal €1.2 billion fine ($1.3 billion) for sending data about hundreds of millions of Europeans to the United States, where weaker privacy rules open it up to US snooping.
Ireland’s Data Protection Commission (DPC), the lead regulator for Meta in Europe, issued the fine after years of dispute about how data is transferred across the Atlantic. The decision says a complex legal mechanism, used by thousands of businesses for transferring data between the regions, was not lawful.
The fine is the biggest GDPR penalty ever issued, eclipsing Luxembourg’s $833 million fine against Amazon. It brings the total amount of fines under the legislation to around €4 billion. However, it’s small change for Meta, which made $28 billion in the first three months of this year.
In addition to the fine, the DPC’s ruling gives Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe. The decision is likely to bring into focus other GDPR powers, which can impact how companies handle data and arguably cut to the heart of Big Tech’s surveillance capitalism.
Meta says it is “disappointed” by the decision and will appeal. The decision is also likely to heap extra pressure on US and European negotiators who are scrambling to finalize a long-awaited new data-sharing agreement between the two regions that will limit what information US intelligence agencies can get their hands on. A draft decision was agreed to at the end of 2022, with a potential deal being finalized later this year.
“The entire commercial and trade relationship between the EU and the US underpinned by data exchanges may be affected,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank. “While this decision is addressed to Meta, it is about facts and situations that are identical for all American companies doing business in Europe offering online services, from payments, to cloud, to social media, to electronic communications, or software used in schools and public administrations.”
The billion-euro fine against Meta has a long history. It stems back to 2013, long before GDPR was in place, when lawyer and privacy activist Max Schrems complained about US intelligence agencies’ ability to access data following the Edward Snowden revelations about the National Security Agency (NSA). Twice since then, Europe’s top courts have struck down US–EU data-sharing systems. The second of these rulings, in 2020, made the Privacy Shield agreement ineffective and also tightened rules around “standard contractual clauses (SSCs).”
The use of SCCs, a legal mechanism for transferring data, is at the center of the Meta case. In 2020, Schrems complained about Meta’s use of them to send data to the US. Today’s Irish decision, which is supported by other European regulators, found Meta’s use of the legal tool “did not address the risks to the fundamental rights and freedoms of data subjects.” In short, they were unlawful.
Ireland first decided the tool fell foul of GDPR in July 2022 and since then, the case has been wrapped up in European bureaucracy, with other countries having a say on the decision and deciding the penalties that should apply. Ultimately, through the European Data Protection Board (EDPB), other countries overruled the Irish regulator, which had argued Meta shouldn’t be fined.
“This is an absolutely significant fine and yet, the penalties may be inconsequential for people’s rights as Meta can hold on to data it has moved unlawfully,” says Estelle Masse, the global data protection lead at European NGO Access Now. “It’s a bittersweet decision.” Since GDPR came into force in May 2018, it has been criticized for not effectively curtailing the worst data practices of Big Tech. Masse argues that Meta should have been made to delete the data it collected unlawfully, and that GDPR enforcement needs to change companies business practices. (In the US, the Federal Trade Commission fined Meta $5 billion in 2019 and has previously ordered companies to delete algorithms created with improperly collected data.)
The new ruling stops short of forcing Meta to delete the data but says it should ensure that all stored data from Europeans be lawfully handled within six months. This could include deletion or moving the data back to Europe, the EDPB says, but could also include Meta using “other technical solutions.”
“One potential option moving forward would be a ‘federated’ social network, where European data stays in their data centers in Europe, unless users chat with a US friend, for example,” Schrems said in a statement. Zanfir-Fortuna says that data localization can be “very difficult to obtain in practice.”
It is likely, if Meta decides to move data back to Europe, that untangling it all from within its internal systems will be tricky, if not impossible. Previous reports have indicated that Meta doesn’t know where all its data goes, and court documents obtained by the Irish Council for Civil Liberties are said to show “data anarchy at Meta.”
Meta’s president of global affairs, Nick Clegg, said in a statement that the company is appealing the decisions with courts that will be able to “pause the implementation deadlines.” Clegg characterized the decision as a threat to the global internet: “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
The Simplest Fix
Lurking behind the colossal fine is the underlying issue of how data is shared between the EU and the US. Europe’s GDPR sets out how companies and other organizations should collect, use, and store people’s data and also increases the rights given to individuals. People can ask what data is held about them or request that information be deleted, for instance.
The rules are stricter than protections put in place in the US, particularly against data collected about non-US citizens, which can be intercepted by intelligence agencies under Section 702 of the Foreign Intelligence Surveillance Act. In October 2022, US president Joe Biden signed an executive order that would introduce limits to what data security agencies can access under a proposed new EU–US Data Privacy Framework.
In Meta’s response to the GDPR decision, Clegg referenced the new international agreement and said that if it comes into force before the Irish deadlines, “our services can continue as they do today without any disruption or impact on users.”
The executive order would, among other things, create a Data Protection Review Court within the US Department of Justice that allows Europeans to challenge how American intelligence agencies use their data. Gloria González Fuster, a professor at the Vrije Universiteit Brussel, says there are “multiple tensions” between the proposed plans. “The very limited information given to complainants by the Data Protection Review Court (DPRC) is one of the major problems,” Fuster says, adding the approach doesn’t match those of Europe’s courts.
Since two previous data-sharing agreements have been struck down by Europe’s courts, it is likely that the new agreement, which could come into force before Meta has to deal with Ireland’s orders, may be challenged. “The framework from the get-go is an improvement from the two previous, but we don’t think it gets us to a point where it would stand a legal challenge in the court,” Masse says.
Schrems, who made the original complaint against Meta and was responsible for the cases that destroyed the previous US–EU data-sharing agreements, believes there’s a 10 percent chance Europe’s courts will find the new agreement to be lawful. “The simplest fix,” Schrems said, “would be reasonable limitations in US surveillance law.”