Meta, the parent company of Facebook, faces a significant ruling from the Irish Data Protection Commission (DPC). The decision entails a hefty fine of €1.2 billion and the suspension of European personal data transfers to the United States due to concerns over US surveillance laws. Meta plans to appeal the decision, while also hoping for a new EU-US data transfer deal.
The outcome of this case has far-reaching implications for data protection and privacy in Europe. Keep reading to learn more 👇
Over the span of ten years, this case has involved three separate court proceedings and incurred millions of euros in legal expenses.
→ In 2013, the DPC dismissed the initial complaint as “frivolous,” which led Max Schrems, founder of NOYB – European Center for Digital Rights, to escalate the matter to the Court of Justice of the European Union (CJEU).
→ Later, the DPC argued that it lacked the authority to take action because Meta used “Standard Contractual Clauses“. However, the CJEU rejected this argument and instructed the DPC to proceed with enforcement.
→ In January 2023, the DPC fined Meta a total of €390 million for violating GDPR regulations related to its Facebook and Instagram services. However, the European Data Protection Board (EDPB) and other European Supervisory Authorities deemed the fine too low, leading to a reassessment of the situation.
🔎 For more details on the case, see here →
As a result, the legal proceedings have accumulated costs of over 10 million euros, with the fine itself being assigned to the Irish state.
In a historic decision against Meta, the Irish DPC has ordered Meta to stop the transfer of European personal data to the United States due to concerns over US surveillance laws.
The EDPB supported the decision, stressing the need for a significant fine, and the return of previously transferred data to EU data centers.
After receiving the suspension order, Meta wasted no time in publishing a blog post to address the situation and announce its plans to appeal.
💬 In their statement, Meta diverted attention to the clash between EU and US law. They put forth the argument that the issue stems from the complexities surrounding international legal frameworks.
Regarding future data transfers, Meta is banking on a new EU-US data transfer deal. However, a new EU-US deal cannot rectify past violations of the law. Additionally, the deal has faced criticism from the European Parliament and may face invalidation by the CJEU, just like the previous deals (“Privacy Shield” and “Safe Harbor”).
💬 Schrems believes the chances of the new deal surviving judicial scrutiny are low, and unless US surveillance laws change, Meta will likely need to keep EU data within the EU.
A Trans-Atlantic Data Privacy Framework (DPF) had been agreed to in principle between the European Commission and the United States. The DPF serves to ensure that data transferred to the US is adequately protected and addresses the EU Court of Justice’s ruling on safe and secure data flows.
Some work remains to be done before the final text is complete. The US issued an Executive Order that includes the commitments made in the agreement. However, the European Commission needs to issue a draft adequacy decision based on that order. The EDPB has also been involved in the procedure and has issued its opinion.
Likely, there won’t be any immediate changes.
→ The recent decision allows for a transition period of approximately six months before Meta must suspend data flows.
→ During this period, the service will continue to operate as usual.
→ Since Meta has expressed its intention to appeal the decision, it may seek to delay implementation while it presents its arguments in court.
It’s anyone’s guess whether the new transatlantic data transfer deal will be ready before the six-month transition period is up. Meta could theoretically avoid suspending EU-US data flows during the transition period if the adoption of a new deal would offer Meta an alternative solution to avoid suspending its service in the EU.
However, it is very unlikely that such a deal will have a retroactive effect and therefore the requirements of this decision could still stand.
Additionally, since legal challenges to the new transatlantic data transfer deal are expected, this means that Meta and other US tech giants whose business models rely on data transfers to the US may find themselves facing similar challenges in the future.
📬 Want more news like this delivered to your inbox? Join the list @ dponewsletter.com