Facebook, Instagram and WhatsApp owner Meta has been hit with a record €1.2 billion fine over EU-US data transfers by the Irish Data Protection Commission. The record GDPR fine comes after a decade of litigation and three court procedures against Meta’s Irish Data Protection Centre over transfer of personal data from the EU to the US.
It is the largest EU privacy fine on record — exceeding the penalty of €746 million imposed on Amazon in 2021.
The Data Protection Commission (DPC) announced the conclusion of its inquiry into Meta Platforms Ireland Limited (“Meta Ireland”), earlier today after examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.
In a statement, the DPC said:
“The DPC adopted its final decision in this inquiry on 12 May 2023. The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
“While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”
The case, which started in 2013, came to an end on Monday, with a ruling that Meta must stop any further transfers of European personal data to the United States, given that Meta is subject to US surveillance laws. The European Data Protection Board (EDPB) largely overturned the Irish Data Protection Centre (DPC) and also insisted on a record fine, and that previously transferred data must be returned to the EU.
Today’s decision was described as a major blow for the owner of Facebook. Since 2013, the company failed to take material precaution but ignored the European Court of Justice and the European Data protection Board. However, the company now has to return all personal data to its EU data centres, on top of paying an unprecedented fine.
Today’s decision dates back to revelations made in 2013 by Edward Snowden, the former US National Security Contractor, who made it known that American authorities had repeatedly accessed people’s information via Facebook and Google. Australian privacy campaigner Max Schrems filed the legal challenge against Facebook for failing to protect his privacy rights – starting a lengthy legal battle which has grappled with the legality of moving EU data to the US.
The campaigner welcomed the decision today.
“We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” Schrems said.
“It took us ten years of litigation against the Irish DPC to get to this result,” he added. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland – the EU Member State that did everything to ensure that this fine is not issued.”
The present conflict between EU privacy laws and US surveillance laws also presents a problem for other US cloud providers, including Google, Microsoft and Amazon.
“The simplest fix would be reasonable limitations in US surveillance law,” Schrems said. “There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance. It would be time to grant these basic protections to EU customers of US cloud providers. Any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law.”
It is expected that Meta will file an appeal with the Irish and potentially also the European Courts. However, the CJEU has already decided that there was no valid legal basis for EU-US data transfers between at least 2007 and 2023 in two cases; there is also no option for a new deal to legalise previous violations of the law, casting doubt on the chances of having the decision overturned.
“Meta will appeal this decision, but there is no real chance to have this decision materially overturned. Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit,” Schrems said.
Europe’s top court has repeatedly said that the US does not have sufficient checks in place to protect personal information of European users, and the US recently updated internal legal protections in order to afford the EU greater assurances that US intelligence agencies will comply with new rules governing access to data.
Reports that Meta may have to pull Facebook and instagram from Europe were rejected by Schrems.
“Facebook’s empty threats that they will stop services in Europe are laughable. It is by far the biggest market for them outside of the US. On potential option moving forward would be a ‘federated’ social network, where European data stays in their data centers in Europe, unless users for example chat with a US friend,” he said.
Meta said it would appeal the decision, adding that it was “disappointed” but the ruling.
“We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of orders through the courts,” the company said.
“The decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” Meta added.