In the ruling, Meta, was given an unprecedented fine of €1.2 billion by the EU data regulators. Data protection commissioners in Ireland made the decision over concerns that transferring EU data to the US would compromise the rights of EU citizens to privacy. Several US mass surveillance programs were revealed in 2013 by whistleblower Edward Snowden, which led to this complaint.
Meta's European users' fundamental rights and freedoms could be violated by the current legal framework for data transfers to the US, resulting in a violation of the General Data Protection Regulation (GDPR).. This record-breaking fine surpasses the previous highest penalty of €746 million imposed on Amazon in 2021 for similar privacy violations.
Data transfers to the US are crucial for Meta's extensive ad-targeting operations, which heavily rely on processing vast amounts of personal data from its users. Last year, Meta warned that it might have to consider shutting down Facebook and Instagram in the EU if it were unable to transfer data back to the US. European Union politicians saw this as a clear threat, with EU lawmaker Axel Voss asserting, "Meta cannot just blackmail the EU into giving up its data protection standards. Leaving the EU would be their loss."
Previously, these data transfers were protected by the Privacy Shield, a transatlantic pact. However, in 2020, the European Union's highest court invalidated this framework, ruling that it failed to safeguard data against US surveillance programs. This decision came in response to a claim made by Austrian lawyer Max Schrems, whose legal battle against Facebook dates back to 2013 and the initial Snowden disclosures.
Despite the order to halt data transfers, there are several caveats that favor Meta, the US social media giant. Firstly, the ruling only applies to data from Facebook, not other Meta-owned companies like Instagram and WhatsApp. Additionally, Meta has five months before it must cease future data transfers and six months before it must stop holding existing data in the US. A new data transfer agreement is being negotiated between the EU and the US, which is expected to be established this summer or by October.
Although the fine is of record-breaking magnitude, experts doubt that it will fundamentally alter Meta's privacy practices. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, stated, "A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally." However, others, such as Max Schrems, expressed satisfaction with the ruling, emphasizing that the fine could have been even higher considering the maximum penalty allowed by law.
Meta, in response, has criticized the fine as "unjustified and unnecessary." Meta's President for Global Affairs, Nick Clegg, and Chief Legal Officer, Jennifer Newstead, penned a blog post outlining the company's viewpoint. They assert that Meta is just one of "thousands" of companies employing similar legal frameworks for data transfers and announced their intention to appeal the decisions while seeking a stay with the courts to halt the implementation deadlines.
Max Schrems believes that Meta's challenges are far from over. He anticipates that any legal appeal by the company against the current ruling will be unsuccessful. Furthermore, he predicts that the forthcoming EU-US data transfer protocol will not satisfy the EU's privacy regulations in court. Schrems asserts, "Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix. Unless US surveillance laws get fixed, Meta will likely have to keep EU data in the EU."