The Irish privacy watchdog fines Facebook parent Meta 1.2 billion euros for the illegal transfer of personal data to American servers of hundreds of millions of Europeans.
In addition to the fine, Meta is also required to stop transferring personal data to servers in the US within five months. They must stop processing that data within six months.
The regulator in Dublin just announced this. Last month it received a binding European advice to this effect.
It is the highest fine ever imposed in Europe for violation of the GDPR privacy directive, known in the Netherlands as AVG. The fine could have been higher, because privacy violations on this scale can be punished with a maximum fine of four percent of annual turnover. At Facebook, that would mean 4.3 billion euros, but that became 28 percent of that. That is at the lower end of the range recommended by the European regulator EDPB. The Brussels advice was: somewhere between twenty and one hundred percent, as a clear signal to other market parties who are in the same boat.
In substance, the case is about the following. The European Court ruled in 2020 that the profile site may not send personal data of European users to the US.
The ruling protects the personal data of European citizens from US government and intelligence agencies. They should not just be able to secretly sniff into the personal data of citizens on the servers of parties such as Google, Facebook and Microsoft. American law now allows them to do so through the Cloud Act.
Facebook therefore now uses so-called ‘standard contract clauses’ as a legal detour to still be able to run its advertising company with personal data. However, the Austrian regulator recently brushed that construction off the table. The Irish regulator shares this insight, which is why it will automatically apply to the whole of Europe. Facebook’s European headquarters is in Ireland. That is why the Irish regulator is held accountable for enforcing European rules.
Meta says in a first response: “This decision is not correct and sets a dangerous precedent for countless companies that transport personal data from Europe to the US.” Some of these parties are, for example, Amazon, Google and Microsoft. There are also rules for correct data transfer and processing, but Meta does not adhere to them.
Civil rights organization noyb welcomes the decision and expects CEO Zuckerberg to appeal. The chance of success, says privacy advocate Max Schrems, is small because similar appeal cases were rejected in Dublin.
At the root of the dispute lies the difference in views on the protection of privacy between the EU and the US. Interest group International Association of Privacy Professionals (IAPP) is calling for a quick political solution. European institutions have so far spoken in favor of citizens. Members of the IAPP are parties such as Microsoft, Google, Meta, Deloitte, KPMG and Intel. They seek perspective, but encounter an impasse.
Update 22-05-2023 15:14:
Investors don’t seem too impressed. The Meta share is less than one percent lower in pre-market trading.
Sandra Molenaar, director of the Consumer Association, responds in a press statement: “After the resounding victory in our own lawsuit against Facebook, this is another important blow for consumers. It is also an important support for consumers joining our claim against Facebook. Their case is a lot stronger with this. Slowly but surely, the net is closing around Facebook.”