That Meta GDPR fine is €1.2B. Plus biz must stop sending EU data to US
Zuckercorp says the EU-US Data Privacy Framework will pass before its penalties enacted, so why worry?
Ireland's Data Protection Commission (DPC) has levied a new record GDPR fine against Facebook parent company Meta for 'systematic, repetitive and continuous' transfer to the US of data belonging to EU residents.
The record €1.2 billion ($1.3b) fine comes along with a decision that Meta will have to suspend data transfers from EU countries to the US within five months, and that it'll have six months to ensure processing and storage of EU citizens' data is in compliance with the GDPR.
Irish officials, who led the investigation and made the final decision, weren't actually keen on fining Facebook, and instead wanted to suspend data transfers to the US. Upon consultation with other concerned supervisory authorities (CSA), however, the DPC said it found a few that objected to the fine-free draft decision.
"Following an informal consultation process, it became clear that consensus could not be reached," the DPC said. According to the Irish authority, it's obligated under the GDPR to consult with the European Data Protection Board (EDPB) when a consensus between CSAs can't be reached, and the EDPB decided last month after reviewing the case that a fine was in order.
"The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences," said EDPR chair Andrea Jelinek.
For those curious, Meta earned $5.709 billion in the first three months of 2023.
Meta says we're not the only ones
In a response to the DPC's final decision, Meta said it was following the same rules as all the other US companies doing business in the EU and was "disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe."
Despite what the DPC said was its legal obligations to confer with the EDPB, Meta called the Board's move a "disregard [for] the clear progress that policymakers are making to resolve this underlying issue," referring to ongoing discussions about the EU-US Data Protection Framework (DPF), another attempt at a shared transatlantic definition of data protection adequacy between the two governments.
While the European Commission has began the process of adopting an adequacy decision regarding the DPF, European lawmakers have been vocal about their opposition to the adequacy decision. Most recently, the EU's Committee on Civil Liberties, Justice and Home Affairs issued a resolution describing the DPF as an improvement over the prior EU-US Privacy Shield, but still insufficient to protect EU citizens' data from being snooped by Uncle Sam. The EDPB expressed a similar position in February.
Conform to international law? Us?
While it might not be happy about the fine, Meta doesn't seem overly concerned about the DPC's suspension order. In its response to the decision, Meta said it was happy "that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects' data once the underlying conflict of law has been resolved," again referring to the DPF.
When asked how that jibes with the DPC having actually imposed a suspension order, a Meta spokesperson only referred us back to the company's statement and added that the suspension won't take effect if the DPF is enacted before the five-month deadline is up.
The DPC for its part only said in its ruling that it has to make decisions based on current EU law; with the DPF not currently an active EU law, "it does not bear on the issues addressed in this Decision," the DPC said.
Meta didn't answer questions about whether it's still making plans to conform to the suspension in case a DPF decision doesn't arrive on time. We asked similar questions about the implementation of the transfer suspension, and Meta's response to the decision, to the DPC but have yet to hear back.
In a statement sent to The Register, Eddie Powell, data protection partner at London law firm Fladgate, said the suspension order was the "first big use" of EU authorities' ability to order such data transfer pauses, and is likely to be a headache for Meta, who "will be hoping that the US/EU deal version 3 – the 'Data Privacy Framework' gets approved and implemented quickly," Powell said.
Meta said it will "appeal both the decision's substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines."
Max Schrems, leader of EU privacy advocacy group noyb and arguably the man responsible for killing prior EU-US data transfer frameworks, said that Meta's appeals and the pinning of its hopes on the DPF put it on shaky ground. After all, it's likely Schrems and company will file a complaint as soon as the framework is ratified.
- Meta facing third fine of 2023 for mishandling EU user data under GDPR
- Ireland's privacy watchdog fines WhatsApp €5.5 million
- Long data privacy notices aren't foolproof, Euro watchdog tells Meta
- Ireland fines Meta $414m for using personal data without asking
Schrems, who is no fan of the Irish DPC, said in a statement responding to its ruling against Meta that its past actions can't be overlooked when a new law goes into effect. Beyond that, Schrems said, he doesn't think the DPF will hold up to its all-but-inevitable judicial scrutiny.
"In my view, the [DPF] has maybe a ten percent chance of not being killed by the CJEU. Unless US surveillance laws gets fixed, Meta will likely have to keep EU data in the EU," Schrems said. ®