Meta Fined with €1.2B by GDPR for EU-US Data Transfers

For the past decade, Meta has been embroiled in a legal battle over its involvement in US mass surveillance. After a long and arduous journey, the European Data Protection Board (EDPB) has finally made a direct decision. Meta must cease any further transfers of European personal data to the United States. This is due to the fact that Meta is subject to US surveillance laws such as FISA 702. The EDPB overturned the Irish Data Protection Commissioner’s (DPC) decision, demanding a record fine and that previously transferred data must be returned to the EU.

This is a major blow for Meta. Ever since Edward Snowden’s 2013 revelations on US big tech aiding the NSA mass surveillance apparatus, Facebook (now Meta) has been facing litigation in Ireland. Despite this, Meta has failed to take any material precaution for ten years and simply ignored the European Court of Justice (CJEU) and the EDPB.

As a result, not only does Meta have to pay a record fine of €1.2 billion, but it must also return all personal data to its EU data centers.

Impact on Other Large US Cloud Providers

The current conflict between EU privacy laws and US surveillance laws is also a problem for other large US cloud providers such as Microsoft, Google or Amazon. The underlying US surveillance law (FISA 702) must be reauthorized by December 2023. This may encourage US big tech to push for material changes, now that there is the first major fine from EU data protection authorities. Several decisions from France, Italy and Austria have found the use of US services unlawful but did not include any major fines.

Meta will likely file an appeal with both the Irish and potentially European Courts; however, it is unlikely that this decision will be materially overturned due to two previous CJEU cases between 2007 and 2023 which found there was no valid legal basis for EU-US data transfers. There is also no option for any new deal to legalize past violations of the law.

Meta’s EU-US Data Transfer Deal

For future transfers, Meta hopes to switch to a new EU-US data transfer deal which has already faced harsh criticism from the European Parliament but will likely come into force after summer. However, it is not unlikely that this new deal will be invalidated by the CJEU with retroactive effect. Just like its predecessors “Privacy Shield” and “Safe Harbor”!

The Irish DPC’s role in this procedure has been exceptional. In 2013, it rejected Mr Schrems’ original complaint as “frivolous” requiring him to go all the way to the CJEU. Then took the view that it could not take action due to Meta making use of so-called “Standard Contractual Clauses” which was again rejected by the CJEU who told them they must take action. Finally, they tried to shield Meta from a fine and deletion of transferred data only to be overturned by the EDPB. These procedures have cost more than 10 million Euro. Though the fine will go to the Irish state.

Meta’s Future in Europe

Meta had previously spread rumors that it would stop providing services in Europe. However, this is highly unlikely given Europe’s status as their biggest source of income outside of the US. And their already established local data centers in the EU. A possible long term solution could be some form of ‘federated social network’ where most personal data would stay in the EU while only ‘necessary’ transfers would continue.

Meta has known about their legal situation for 10 years and was served with a draft decision in 2022. This makes it hard to argue ignorance or lack of preparation time. CJEU judgement allows users to claim emotional damages for smaller GDPR violations, like US mass surveillance, which could lead to larger penalties. The EU’s Collective Redress Directive will allow collective actions by European users for GDPR violations this summer; more litigation may follow.