It’s finally happened: Meta, the company formerly known as Facebook, has been hit with a formal suspension order requiring it to stop exporting Facebook EU Data Flows from European Union user to the US for processing.
Today the European Data Protection Board (EDPB) announced that Meta has been fined €1.2 billion (close to $1.3BN) — which the Board confirmed is the largest fine ever issued under the bloc’s General Data Protection Regulation (GDPR). (The prior record goes to Amazon which was stung for $887M for misusing customers data for ad targeting back in 2021.)
Meta’s sanction is for breaching conditions set out in the pan-EU regulation governing transfers of personal data to so-called third countries (in this case the US) without ensuring adequate protections for people’s information.
European judges have previously found US surveillance practices to conflict with EU privacy rights.
In a press release announcing today’s decision the EDPB’s chair, Andrea Jelinek, said:
The EDPB found that Meta IE’s [Ireland’s] infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.
At the time of writing the Irish Data Protection Commission (DPC), the body responsible for implementing the EDPB’s binding decision, had not provided comment. (But its final decision can be found here.)
Meta quickly put out a blog post with its response to the suspension order in which it confirmed it will appeal — dubbing the fine “unjustified and unnecessary”. It also sought to blame the issue on a conflict between EU and US law, rather than its own privacy practices, with Nick Clegg, president, global affairs, and Jennifer Newstead, chief legal officer, writing:
We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.
Back in April the adtech giant warned investors that around 10% of its global ad revenue would be at risk were an EU data flows suspension to actually be implemented.
Asked ahead of the decision what preparations it’s made for a possible suspension, Meta spokesman Matthew Pollard declined to provide “extra guidance”. Instead he pointed back to an earlier statement in which the company claimed the case relates to a “historic conflict of EU and US law” which it suggested is in the process of being resolved by EU and US lawmakers who are working on a new transatlantic data transfer arrangement. However the rebooted transatlantic data framework Pollard referred to has yet to be adopted.
It’s also worth noting that while today’s fine and suspension order is limited to Facebook, Meta is far from the only company affected by the ongoing legal uncertainty attached to EU-US data transfers — which the DPC observes in its conclusion, where it writes: “This Decision will bind Meta Ireland only. It is clear, however, that the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA” — so pressure is likely to be amped up on lawmakers on both sides of the Atlantic to get the deal over the line.
The decision emerging out of the Irish DPC flows from a complaint made against Facebook’s Irish subsidiary almost a decade ago, by privacy campaigner Max Schrems — who has been a vocal critic of Meta’s lead data protection regulator in the EU, accusing the Irish privacy regulator of taking an intentionally long and winding path in order to frustrate effective enforcement of the bloc’s rulebook.
On the substance of his complaint, Schrems argues that the only sure-fire way to fix the EU-US data flows doom loop is for the US to grasp the nettle and reform its surveillance practices.
Responding to today’s order in a statement (via his privacy rights not-for-profit, noyb), he said: “We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
For its part, the DPC — which oversees GDPR compliance for multiple tech giants whose regional headquarters are sited in Ireland — routinely rejects criticism that its actions create a bottleneck for enforcement, arguing its processes reflect what’s necessary to perform due diligence on complex cross-border cases. It also often seeks to deflect blame for delays in reaching decisions onto other supervisory authorities that raise objections to its draft decisions.
However it’s notable that objections to DPC draft decisions against Big Tech have led to stronger enforcement being imposed via a cooperation mechanism baked into the GDPR — such as in earlier decisions against Meta and Twitter.
This suggests the Irish regulator is routinely under-enforcing the GDPR on the most powerful digital platforms and doing so in a way that creates additional problems for efficient functioning of the regulation since it strings out the enforcement process. (In the Facebook data flows case, for example, objections were raised to the DPC’s draft decision last August — so it’s taken some nine months to get from that draft to a final decision and suspension order now.) And, well, if you string enforcement out for long enough you may allow enough time for the goalposts to be moved politically that enforcement never actually needs to happen. Which, while demonstrably convenient for data-mining tech giants like Meta, does make a mockery of citizens’ fundamental rights.
As noted above, with today’s decision, the DPC is actually implementing a binding decision taken by the EDPB last month in order to settle ongoing disagreement over Ireland’s draft decision — so much of the substance of what’s being ordered on Meta today comes, not from Dublin, but from the bloc’s supervisor body for privacy regulators.
This apparently includes the existence of a financial penalty at all — since the Board notes it instructed the DPC to amend its draft to include a penalty, writing:
Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.
The applicable legal maximum penalty that Meta can be sanctioned with under the GDPR is 4% of its global annual turnover. And since its full year turnover last year was $116.61BN the maximum it could have been fined here would have been over $4BN. So the Irish regulator has opted to fine Meta considerably less than it could have (but still a lot more than it wanted to).
In further public remarks today, Schrems once again hit out at the DPC’s approach — accusing the regulator of essentially working to thwart enforcement of the GDPR. “It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland — the EU Member State that did everything to ensure that this fine is not issued,” he said.
So what happens next for Facebook in Europe?
Nothing immediately. The decision provides a transition period before it must suspend data flows — of around six months — so the service will continue to work in the meanwhile. (More specifically, Meta has been given a transition period of five months to suspend any future transfer of personal data to the US; and a six month deadline to stop the unlawful processing and/or storage of European user data it has previously transferred without a valid legal basis.)
Meta has also said it will appeal and looks to be seeking to stay implementation while it takes its arguments back to court.
Schrems has previously suggested the company will — ultimately — need to federate Facebook’s infrastructure in order to be able to offer a service to European users which does not require exporting their data to the US for processing. But, in the near term, Meta looks likely to be able to avoid having to suspend EU-US data flows since the transition period in today’s decision should buy it enough time for the aforementioned transatlantic data transfer deal to be adopted.
Earlier reports have suggested the European Commission could adopt the new EU-US data deal in July, although it has declined to provide a date for this since it says multiple stakeholders are involved in the process.
Such a timeline would mean Meta gets a new escape hatch to avoid having to suspend Facebook’s service in the EU; and can keep relying on this high level mechanism so long as it is stands.
Accordingly, and as directed by the EDPB further to the Article 65 Decision, I have included, in Section 10, below, an order requiring Meta Ireland to bring processing operations into 149 compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within the period of 6 (six) months from the date on which this Decision is notified to Meta Ireland (“the Cessation Order”). I note, in this regard, that neither the CSAs [concerned supervisory authorities] (by way of the Deletion or Return Objections or otherwise) nor the EDPB expressed disagreement with my view, set out at paragraph 9.46 above, that “new measures, not currently in operation, may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies identified herein”. While that view was expressed in the context of the suspension order that was proposed by the DPC in the Draft Decision (and which is reflected in Section 10, below), it applies equally to the Cessation Order. Accordingly, and for the sake of clarity and legal certainty, the orders specified in Section 10, below, will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR.
We also contacted the DPC to ask if it has provided Meta with any assurances on historical data deletion. But deputy commissioner, Graham Doyle, suggested the question would have to be addressed to Meta. “My understanding is that the EDPB and DPC decisions don’t reference deletion they reference bringing processing into compliance — maybe that’s what Meta is referring to but I don’t know without asking them,” he added, offering no direct response.
In its draft decision on the complaint, the DPC’s data protection commissioner, Helen Dixon, took the view that making an order to direct the “bulk return and/or deletion of all transferred data from an identified point in time would be excessive”.
Asked about the data deletion issue, a spokeswoman for the EDPB told us: “The EDPB Binding Decision requires ‘the imposition of an order to Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR’. The Binding Decision does not specify whether this has to be achieved by means of deletion.”
She also said adoption of a new EU-US data transfer mechanism “would be a highly relevant change of circumstances”, adding: “It would be for the Irish DPA to decide on reconsidering both orders (one on future transfers, one on data transferred in the past).”
In a press conference earlier today a Commission spokesman was also asked about the Meta, which he said it takes note of, adding: “This decision implements the decision of the European community to protect data — a decision by the European Data Protection Board. When it comes to these transfers, the Irish authority has indicated that Meta must solve the problem.”
Making follow-on remarks about EU-US data transfers “generally”, the spokesman discussed the ongoing work towards adopting a replacement transatlantic data adequacy deal — stipulating that the Commission expects this data privacy framework to be “fully functional by the summer”.
“This will guarantee stability and legal certainty both sought by businesses and will also guarantee strict protection of the private lives of citizens,” he said, adding: “We expect it will also be challenged at some point. But the bottom line is we are working on the basis of the safeguards that the courts demanded and we are in the process of implementing.”
Asked whether this future US adequacy framework will be able to apply retroactively, once adopted by Meta, i.e. to legalize unlawfully transferred user data, a Commission spokesman declined to answer — dubbing it a “legally complex question” and adding: “We’ll have to see.”
Follow our socials Whatsapp, Facebook, Instagram, Twitter, and Google News.