Meta, Facebook’s parent company, on Monday (22 May) was fined a record €1.2bn under GDPR for unlawful data transfers to the US by Ireland’s data protection watchdog.
However, doubts remain over the consequentiality of the decision for user privacy, as a new EU-US data transfer agreement is set to be signed before Meta would actually have to delete user data from US servers.
Moreover, as with previous record-setting fines for US big tech companies under GDPR, Facebook still has numerous opportunities to appeal the fine, both under Irish law and at the European Court of Justice.
Under the conditions of the fine, Meta has until 12 November of this year to move back or delete user data from US servers, but is unlikely to actually have to comply. Since March 2022, EU and US officials have agreed on the political terms of the EU-US Data Privacy Framework (DPF), a data-transfer agreement set up to harmonise GDPR legislation with US data collection.
Originally slated to be signed in July of this year, Estelle Massé, campaigner at digital privacy NGO Access Now, told EUobserver that it is likely to be postponed to October — still in time for Facebook to not have to delete EU user data.
“This [decision] might not mean much for people’s rights,” Massé said. “In practice, it would mean that actually Facebook would have to do nothing, because they would have a new legal basis under which the data can move to the US and stay there.”
The €1.2bn fine is obviously a huge amount of money, but Massé expects that Meta’s stock won’t suffer from the setback. “They’ve been setting aside money for quite some time now in preparation for this fine,” she said. “Based on what they told their investors just a month ago, and what they were expecting [from this fine], I’m expecting Facebook stock to go up today.”
In April of this year, Meta issued a warning in their earnings report that up to 10 percent of its global ad revenue could be at risk from the fine issued by the Irish regulators. “Obviously, they always set aside money for this and many other fines. I think they had put aside €1.6bn, so €1.2bn was a good gift,” Massé quipped.
And that is if they have to pay the full sum at all. Of all the record-setting fines issued by national legislators under GDPR since 2016, almost all of them are still winding their way through appeals. “We passed the €4bn mark of fines issued under GDPR. But if we were to research and compare how much of these fines have actually been paid, we haven’t reached €4bn.”
“It’s progress on the fine level,” Massé said. But at the same time, it might not do much for user data protection.
“Concretely, the GDPR is about protecting data protection violations for people. And what we’re being told, as people, by this decision, is that this company has been moving your data unlawfully, it is currently holding your data somewhere unlawfully, and now we give it six months to fix that solution by either deleting it or moving it back to where it’s legal for the company to have it. But the small print is that within six months’ time, they will be able to keep it there. So it means that we’re accepting that the unlawful situation continues for six more months until it’s no longer unlawful for them to do that,” she said.
Not all is lost though. Privacy campaigner Max Schrems, who filed a complaint with the Irish data protection regulators a decade ago and has continued to litigate, said in a statement that the new EU-US DPF is unlikely to hold before the European Court of Justice (CJEU).
“Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix. In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless US surveillance laws get fixed, Meta will likely have to keep EU data in the EU,” Schrems said.
He also believes that Meta’s threats of withdrawing services from the EU as a result of data protection regulation are “laughable”. Europe is the biggest market for the social media giant outside of the US, so withdrawing is an “empty threat”, he said.
GDPR has been in force since 2016, which should have given Meta — and other big tech companies — ample time to have fixed the data transfer issues. “I’m not going to feel sorry for them not being ready to comply with the law that they knew was coming,” Massé said.
