Europe’s GDPR has just dealt its biggest hammer blow yet. Almost exactly five years since the continent’s strict data rules came into force, Meta has been hit with a colossal €1.2 billion fine ($1.3 billion) for sending data about hundreds of millions of Europeans to the United States, where weaker privacy rules open it up to US snooping.
Ireland’s Data Protection Commission (DPC), the lead regulator for Meta in Europe, issued the fine after years of dispute about how data is transferred across the Atlantic. The decision says a complex legal mechanism, used by thousands of businesses for transferring data between the regions, was not lawful.
The fine is the biggest GDPR penalty ever issued, eclipsing Luxembourg’s $833 million fine against Amazon. It brings the total amount of fines under the legislation to around €4 billion. However, it’s small change for Meta, which made $28 billion in the first three months of this year
In addition to the fine, the DPC’s ruling gives Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe. The decision is likely to bring into focus other GDPR powers, which can impact how companies handle data and arguably cut to the heart of Big Tech’s surveillance capitalism.
Meta says it is “disappointed” by the decision and will appeal. The decision is also likely to heap extra pressure on US and European negotiators who are scrambling to finalize a long-awaited new data-sharing agreement between the two regions that will limit what information US intelligence agencies can get their hands on. A draft decision was agreed to at the end of 2022, with a potential deal being finalized later this year.
“The entire commercial and trade relationship between the EU and the US underpinned by data exchanges may be affected,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank. “While this decision is addressed to Meta, it is about facts and situations that are identical for all American companies doing business in Europe offering online services, from payments, to cloud, to social media, to electronic communications, or software used in schools and public administrations.”
The billion-euro fine against Meta has a long history. It stems back to 2013, long before GDPR was in place, when lawyer and privacy activist Max Schrems complained about US intelligence agencies’ ability to access data following the Edward Snowden revelations about the National Security Agency (NSA). Twice since then, Europe’s top courts have struck down US–EU data-sharing systems. The second of these rulings, in 2020, made the Privacy Shield agreement ineffective and also tightened rules around “standard contractual clauses (SSCs).”
The use of SCCs, a legal mechanism for transferring data, is at the center of the Meta case. In 2020, Schrems complained about Meta’s use of them to send data to the US. Today’s Irish decision, which is supported by other European regulators, found Meta’s use of the legal tool “did not address the risks to the fundamental rights and freedoms of data subjects.” In short, they were unlawful.
Ireland first decided the tool fell foul of GDPR in July 2022 and since then, the case has been wrapped up in European bureaucracy, with other countries having a say on the decision and deciding the penalties that should apply. Ultimately, through the European Data Protection Board (EDPB), other countries overruled the Irish regulator, which had argued Meta shouldn’t be fined.