Meta, the parent company of Facebook, Instagram, and WhatsApp, is subject to a $1.3 billion (1.2 billion euro) fine under the European Union’s General Data Protection Regulation. The Irish Data Protection Authority (IE DPA) issued the fine in response to Meta’s transfer of personal data of Facebook users’ data from Europe to the United States. This record fine also comes with an order for Meta to make its data transfers compliant with GDPR.
What does this fine mean for Meta, as well as other companies with business models that rely on data transfers?
Meta’s $1.3 billion fine comes after a protracted legal battle in Ireland. Max Schrems, an Austrian lawyer and privacy advocate, filed a complaint against Facebook with the Irish Data Protection Commissioner in 2013. The complaint challenged Meta’s transfer of Facebook user data from Europe to the US. In 2020, Schrems won a lawsuit. As a result, the Court of Justice of the European Union invalidated the European Commission’s Privacy Shield Decision. It also resulted in stricter requirements relating to data transfers made based on standard contract clauses (SCCs).
The crux of the issue is a concern that US surveillance practices violate European users’ right to privacy and data protection. Regulators came to the 2023 decision and fine, citing Meta’s transfer of personal data via SCCs since July 2020.
“The simplest fix would be reasonable limitations in US surveillance law. There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance. It would be time to grant these basic protections to EU customers of US cloud providers. Any other big US cloud provider, such as Amazon, Google or Microsoft, could be hit with a similar decision under EU law,” said Schrems in a press release from noyb, a nonprofit focused on privacy rights.
The European Data Protection Board (EDPB) ultimately told the IE DPA to issue the fine. The IE DPA order, as directed by the EDPB, requires Meta to make its processing operations GDPR-compliant. The order gives Meta five months to suspend its EU data transfers.
A Planned Appeal
Meta plans to appeal the decision. In a response to the decision, the company argues that it used the same data transfer practices, SCCs, as thousands of other businesses, believing them to be GDPR-compliant. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” according to the company’s response.
For now, Facebook’s operations have not been disrupted in Europe. Carl Szabo, vice president and general counsel of NetChoice, a tech industry group funded by companies including Meta, tells InformationWeek that user access could change if Meta is unsuccessful in securing a block to the data transfer ban. “If they don’t get the block from court by October 13, Europeans should expect to see their access to WhatsApp, Facebook, and other Meta services disappear,” he says.
With this fine and decision years in the making, what could the appeals process look like? “Based on appeal proceedings in other EU member states, the initial appeal process will take two to three years at a minimum,” says Lily Li, founder and president of Metaverse Law Corporation, a law firm focused on data privacy, cybersecurity, artificial intelligence, and metaverse law.
With a lengthy legal process likely ahead, the hefty fine hangs in the balance. Amazon holds the previous record for the highest GDPR fine. The Luxembourg National Commission for Data Protection issued the $887 million (746 million euro) fine in 2021. The ecommerce giant has also appealed. “If the company succeeds in reducing the fine, which will be determined in 2024, it could create another opportunity for Meta to appeal the case as well,” Andres Saravia, a senior consultant on the strategy and risk team at management advisory firm MorganFranklin Consulting, points out.
British Airways faced a 183-million-pound GDPR fine as a result of a 2018 data breach. In 2020, that fine was reduced to 20 million pounds, Forbes reported.
While GDPR fines have been reduced in the past, the same may not happen for Meta. “Considering the significant impact on personal data rights resulting from violations of GDPR regulations related to data transfers, it appears highly likely that the full extent of the penalty will be imposed,” Saravia argues.
The Outlook for GDPR Enforcement
GDPR, often hailed as the gold standard of privacy regulations, reaches its fifth anniversary this month. While it has served as the impetus for other data protection regulations around the world, it has also been the subject of criticism. Some critics point to lack of enforcement. What does Meta’s fine mean for GDPR enforcement of the future?
With five years of experience under their belts, Saravia anticipates that DPAs will be prepared for future action. “Each Data Protection Authority has more experience to apply the law and to detect each possible violation of privacy,” he says.
Li anticipates more enforcement action stemming from the Meta fine. “The DPC [Data Protection Commission] will have more resources to pursue other big tech companies headquartered in Ireland,” she says. “In addition, this decision will empower other EU regulators to proceed with similar regulatory actions.”
The Trans-Atlantic Data Privacy Framework
The European Commission and the US have reached an agreement on a new Trans-Atlantic Data Privacy Framework (TADPF), which “will reestablish an important legal mechanism for transfers of EU personal data to the United States,” according to a White House fact sheet. The agreement is meant to limit the access US intelligence authorities have to data. While this agreement could facilitate the transatlantic flow of data, it is unlikely to have a bearing on Meta’s fine. The framework “does not apply retroactively,” according to Li.
But this agreement does have implications for how Meta, and many other companies, will be able to do business in the European Union going forward. The framework “… would address the two substantive orders in the decision: the stop transfer order and order to bring processing in the United States into compliance,” says Caitlin Fennessy, vice president and chief knowledge officer of the nonprofit International Association of Privacy Professionals. “The European Commission stated … that it expects the new EU-US Data Privacy Framework to be fully functional by summer, suggesting that an adequacy determination could come online just in time to avoid significant disruptions in transatlantic business.”
Implications for Other Companies
Meta’s tangle with GDPR enforcement is one that other companies involved in transatlantic personal data transfer are watching closely. “Cross-border transfers and data sovereignty are becoming increasingly important issues across industries: they need a way to detect and respond to changing cross border data transfer regulations, and restrictions,” says Dimitri Sirota, CEO of data security, compliance, privacy, and governance company BigID.
“This decision makes clear that companies have risk on the table when transferring personal data across the Atlantic. Privacy professionals have known that for years and dozens have referenced it in their financial filings,” Fennessy says. “But this decision attaches a huge price tag to that risk and will undoubtedly capture the attention of business executives.”
Privacy professionals and business leaders will likely need to factor Meta’s fine and order, as well as the forthcoming TADPF, into their own risk assessments. While risk can be managed, it cannot be eliminated completely, according to Fennessy. “Business leaders should also recognize that the global landscape for data transfers is only growing more complex, such that these challenges will likely move from the transatlantic sphere to the global one in the years to come,” she says.