noyb win: € 1.2 billion fine against Meta over EU-US data transfers
€ 1.2 billion GDPR fine for Meta over US mass surveillance. Decision required 10 years and 3 court procedures against Irish DPC.
Today, a decade-long (2013 - 2023) case on Meta's involvement in US mass surveillance has lead to a first direct decision. Meta must stop any further transfers of European personal data to the United States, given that Meta is subject to US surveillance laws (like FISA 702). The EDPB had largely overturned the Irish DPC's decision, insisting on a record fine and that previously transferred data must be brought back to the EU.
Major blow for Meta. Ever since Edward Snowden's revelations on US big tech aiding the NSA mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland. For ten years, Meta has not taken any material precaution, but simply ignored the European Court of Justice (CJEU) and the European Data Protection Board (EDPB). Now Meta does not only have to pay a record fine of € 1.2 billion, but must also return all personal data to its EU data centers.
Max Schrems: "We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems."
FISA 702 subject to reauthorization. The current conflict between EU privacy laws and US surveillance laws are also a problem for all other large US cloud providers, such as Microsoft, Google or Amazon. The underlying US surveillance law (FISA 702) must be reauthorized by December 2023. The appetite for material changes may be larger for US big tech, now where there is the first major fine from EU data protection authorities. Numerous decisions from France, Italy and Austria found the use of US services unlawful, but did not include a major fine.
Max Schrems: "The simplest fix would be reasonable limitations in US surveillance law. There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance. It would be time to grant these basic protections to EU customers of US cloud providers. Any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law."
Past violations - successful appeal unlikely. We expect Meta to file an appeal with the Irish and potentially the European Courts, however the chances to have this decision materially overturned are low: The CJEU has already decided that there was no valid legal basis for EU-US data transfers in two cases between 2007 and 2023. There is also no option for any new deal to legalize previous violations of the law.
Max Schrems: "Meta will appeal this decision, but there is no real chance to have this decision materially overturned. Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit.”
Future transfers: Meta’s hopes for new EU-US deal on shaky ground. For all future transfers, Meta now hopes to switch to a new EU-US data transfer deal. The new deal has already faced harsh critizism from the European Parliament, but will likely come into force after the summer. These hopes may however be shattered soon. It is not unlikely that the new deal will be invalidated by the CJEU - just like the two previous EU-US data deals (“Privacy Shield” and “Safe Harbor”). Such invalidations have retroactive effect.
Max Schrems: "Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix. In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless US surveillance laws gets fixed, Meta will likely have to keep EU data in the EU."
Ten years, three court proceedings and millions in legal costs. The Irish DPC’s role in this procedure is exceptional, as it has consistently tried to block the case from going ahead, in 2013 it rejected the original complaint as “frivolous” – requiring Mr Schrems to go all the way to the CJEU. The DPC then took the view that it cannot take action, given that Meta made use of so-called “Standard Contractual Clauses”, which was again rejected by the CJEU, who told the DPC that it must take action. Finally, the DPC tried to shield Meta from a fine and the deletion of data that is already transferred, just to be overturned by the EDPB. Overall these procedures led to costs of more than 10 million Euro - the fine, however, will go to the Irish state.
Max Schrems: “It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland - the EU Member State that did everything to ensure that this fine is not issued."
Implementation period, no immanent stop of services. Previously, Facebook / Meta spread the rumor that it would stop providing services in Europe. Given that Europe is by far the biggest source of income outside of the US and Meta has already built local data centers in the EU, these announcements are hardly credible. The long term solution seems to be some form of 'federated social network' where most personal data would stay in the EU, while only 'necessary' transfers would continue - for example when a European sends a direct message to a US friend. While Meta only got a short implementation period to come up with a solution, it knew about the legal situation for ten years and was already served with a draft decision in 2022.
Max Schrems: "Facebook's empty threats that they will stop services in Europe are laughable. It is by far the biggest market for them outside of the US. One potential option moving forward would be a 'federated' social network, where European data stays in their data centers in Europe, unless users chat with a US friend, for example."
Futher ligitation may follow. Pending class action in the Netherlands. Under a recent judgement by the CJEU users may also be able to claim emotional damages for smaller violations of their data protection rights - such as making it subject to US mass surveillance. This will lead to claims that may far exceed today's penalty. For example, the Dutch consumer rights organization Consumentenbond is currently signing up Dutch Facebook users to bring their claims over EU-US data transfers. Without users requesting a fair compensation, we will not see any true change. The authorities are currently not very active in enforcing the GDPR, so consumer rights organizations and users have to take action. For that reason, we encourage every Facebook user in the Netherlands to register their claims for possible damages. Furthermore, the EU's Collective Redress Directive must also be implemented this summer, which will for the first time allow collective actions by European users for GDPR violations.
Max Schrems: "This decision may lead to civil litigation against Meta in Europe. This summer the EU also implements a new 'class action' system, which can be used for GDPR violations."