Facebook owner Meta has been dealt a major blow to its European operations by being ordered to stop transferring data from the continent to the US, as well as being slapped with the biggest ever GDPR fine of €1.2bn (£1bn) following an intervention by EU chiefs.
While the fine dwarfs the previous GDPR record of €746m (£636m), which Amazon is facing from Luxembourg authorities, it is the stop and desist data transfer order which is arguably far more damaging. It could also potentially hit other big US cloud providers, such as Amazon, Google or Microsoft, which use so-called standard contractual clauses (SCCs) to move EU data to the States.
This case actually dates back to 2013 when privacy campaigner Max Schrems first raised concerns about Meta’s data transfer policy following whistleblower Edward Snowden’s revelations on US big tech aiding the US mass surveillance.
Schrems insists that Meta has not taken any material precaution for over a decade, and has simply ignored the European Court of Justice and the European Data Protection Board.
Now, he maintains the ruling means Meta does not only have to pay a record fine – which could have been way bigger – but it must also return all personal data to its EU data centres.
Schrems added: “We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than €4bn and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
The European Data Protection Board was forced to intervene in the case following complaints by other EU states over the Irish Data Protection Commission’s initial ruling. It was the EDPB that insisted on a record fine and that previously transferred data must be brought back to the EU.
Schrems said: “It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland – the EU Member State that did everything to ensure that this fine is not issued.”
Meta says it will appeal. Facebook president Nick Clegg added: “We are disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
However, Schrems countered: “There is no real chance [for Meta] to have this decision materially overturned. Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit.
“Facebook’s empty threats that they will stop services in Europe are laughable. It is by far the biggest market for them outside of the US.”
But it could get even worse for the tech giant. Schrems explained: “This decision may lead to civil litigation against Meta in Europe. This summer the EU also implements a new ‘class action’ system, which can be used for GDPR violations.”
Meta bows to GDPR ruling to block personalised ads
Meta GDPR consent fine €4bn short, says Max Schrems
Meta the villain again as consent for ads is ruled illegal
Where will we be in 2023…with data-driven marketing?
Meta faces mega fine as ad policy is declared illegal
Privacy group vows to ensure that WhatsApp coughs up
Irish up WhatsApp fine 350% to €225m after EDPB call
Decision Marketing at 10: How GDPR changed the world