It’s finally happened: Meta, the company formerly known as Facebook, has been hit with a formal suspension order requiring it to stop exporting European Union user data to the US for processing.
The European Data Protection Board (EDPB) confirmed today that Meta has been fined €1.2 billion (close to $1.3BN) — which looks to be a record sum for a penalty under the bloc’s General Data Protection Regulation (GDPR). (The prior record goes to Amazon which was stung for $887M for misusing customers data for ad targeting back in 2021.)
Meta’s sanction is for breaching conditions set out in the pan-EU regulation governing transfers of personal data to so called third countries (in this case the US) without ensuring adequate protections for people’s information.
European judges have previously found US surveillance programs to conflict with EU privacy rights.
In a press release announcing today’s decision the EDPB’s chair, Andrea Jelinek, said:
The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.
At the time of writing the Irish Data Protection Commission (DPC), the body responsible for implementing the EDPB’s binding decision, had not provided comment.
Meta quickly put out a blog post with its response to the suspension order in which it confirmed it will appeal. It also sought to blame the issue on a conflict between EU and US law, rather than its own privacy practices, with Nick Clegg, president, global affairs and Jennifer Newstead, chief legal officer, writing:
We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.
Back in April the adtech giant warned investors that around 10% of its global ad revenue would be at risk were an EU data flows suspension to actually be implemented.
Asked ahead of the decision what preparations it’s made for a possible suspension, Meta spokesman Matthew Pollard declined to provide “extra guidance”. Instead he pointed back to an earlier statement in which the company claimed the case relates to a “historic conflict of EU and US law” which it suggested is in the process of being resolved by EU and US lawmakers who are working on a new transatlantic data transfer arrangement. However the rebooted transatlantic data framework Pollard referred to has yet to be adopted.
It’s also worth noting that while today’s fine and suspension order is limited to Facebook, Meta is far from the only company affected by the ongoing legal uncertainty attached to EU-US data transfers.
The decision by the Irish DPC flows from a complaint made against Facebook’s Irish subsidiary almost a decade ago, by privacy campaigner Max Schrems — who has been a vocal critic of Meta’s lead data protection regulator in the EU, accusing the Irish privacy regulator of taking an intentionally long and winding path in order to frustrate effective enforcement of the bloc’s rulebook.
Schrems argues that the only sure-fire way to fix the EU-US data flows doom loop is for the US to grasp the nettle and reform its surveillance practices.
Responding to today’s order in a statement (via his privacy rights not-for-profit, noyb), Schrems said: “We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
The DPC, which oversees multiple tech giants whose regional headquarters are sited in Ireland, routinely rejects criticism that its actions create a bottleneck for enforcement of the GDPR, arguing its processes reflect what’s necessary to perform due diligence on complex cross-border cases. It also often seeks to deflect blame for delays in reaching decisions onto other supervisors authorities that raise objections to its draft decisions.
However it’s notable that objections to DPC draft decisions against Big Tech have led to stronger enforcement being imposed via a cooperation mechanism baked into the GDPR — such as in earlier decisions against Meta and Twitter. This suggests the Irish regulator is routinely under-enforcing the GDPR on the most powerful digital platforms and doing so in a way that creates additional problems for efficient functioning of the regulation since it strings out the enforcement process. (In the Facebook data flows case, for example, objections were raised to the DPC’s draft decision last August — so it’s taken some nine months to get from that draft to a final decision and suspension order now.)
As noted above, with today’s decision, the DPC is also actually implementing a binding decision taken by the EDPB last month in order to settle ongoing disagreement over Ireland’s draft decision — so much of the substance of what’s being ordered on Meta today comes, not from Dublin, but from the bloc’s supervisor body for privacy regulators.
This apparently includes the existence of a financial penalty at all — since the Board notes it instructed the DPC to amend its draft to include a penalty, writing:
Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.
The applicable legal maximum penalty that Meta can be sanctioned with under the GDPR is 4% of its global annual turnover. And since its full year turnover last year was $116.61BN the maximum it could have been fined here would have been over $4BN. So the Irish regulator has opted for considerably less.
In further public remarks today, Schrems once again hit out at the DPC’s approach — accusing the regulator of essentially working to thwart enforcement of the GDPR.
“It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland — the EU Member State that did everything to ensure that this fine is not issued,” he said.
So what happens next for Facebook in Europe?
Nothing immediately. The decision provides a transition period before it must suspend data flows — of six months — so the service will continue to work in the meanwhile.
Meta has also said it will appeal and looks to be seeking to stay implementation while it takes its arguments back to court.
While Schrems has previously suggested the company will — ultimately — need to federate Facebook’s infrastructure in order to be able to offer a service to European users that does not require exporting their data to the US for processing, in the near term, Meta looks likely to be able to avoid having to suspend EU-US data flows since the transition period should buy it enough time for the aforementioned transatlantic data transfer deal to be adopted.
Earlier reports have suggested the European Commission could adopt the new EU-US data deal in July, although it has declined to provide a date for this since it says multiple stakeholders are involved in the process.
Such a timeline would mean Meta gets a new escape hatch to avoid having to suspend Facebook’s service in the EU; and can keep relying on this high level mechanism so long as it is stands. And if that happens a complaint against Facebook’s illegal data transfers that dates back almost ten years at this point will, once again, be left twisting in the wind — raising questions about whether it’s really possible for Europeans to exercise legal rights set out in the GDPR? (And, indeed, whether deep-pocketed tech giants, whose ranks are packed with well-paid lawyers and lobbyists, can be regulated at all?)
At the same time, legal challenges to the new transatlantic data transfer deal are expected — and Schrems gives the pact a tiny chance of surviving legal review by the CJEU.
So Meta and other US giants whose business models hinge on exporting data for processing over the pond could soon find themselves back in the legal bind again.
“Meta plans to rely on the new deal for transfers going forward but this is likely not a permanent fix,” Schrems suggested. “In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless US surveillance laws gets fixed, Meta will likely have to keep EU data in the EU.”
This story is developing — refresh for updates…
