The Irish Data Protection Commission has announced this Monday that it is imposing a fine of 1,200 million euros on Meta, the parent company of Facebook, Instagram and WhatsApp, for breaking European privacy regulations. The organization, in charge of applying the community data protection laws to the American giant since its European headquarters are in Dublin, points out that Meta has not protected the information of Europeans from the surveillance practices of US security agencies.
Who’s afraid of Max Schrems? The EU struggles to prevent it from knocking down the sending of personal data to the US again
This is the largest sanction imposed under the European General Data Protection Regulation (RGPD) and occurs on the eve of the fifth anniversary of its entry into force, on May 25. They are almost 500 million euros more than the one imposed on Amazon in 2021 also for privacy reasons. The Irish body also obliges Meta to suspend any future transfer of personal data to the US within five months.
The amount of the fine is due to the fact that Meta has continued for almost three years with a practice that was declared illegal by the Court of Justice of the European Union (CJEU) in July 2020. The magistrates of the highest community court then ruled that transfers of personal information of Europeans by digital multinationals such as Meta (then called Facebook) violated Community law. The reason is that once the data reaches the US, it becomes accessible to its security agencies without the same judicial guarantees that this type of investigation would have in the EU.
There is no immediate disruption from Facebook because the decision includes enforcement periods that extend through the end of this year.
— President of Global Affairs at Meta
elDiario.es has contacted Meta to include their reaction to the fine in this information. The company announces that it will appeal both the sentence and the fine imposed and will request the suspension of the order before the courts. It also adds that there will be no “immediate disruption” of Facebook in Europe. This clarification on the availability of its services on the continent comes after last year it communicated to its shareholders the possibility of doing so if the European privacy agencies made a decision like the one issued this Monday by Ireland.
“Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook by keeping their data safe and secure,” said Nick Clegg, president of Global Affairs at Meta. “There is no immediate disruption to Facebook because the decision includes enforcement periods that extend through the end of this year. We intend to appeal both the merits of the decision and its orders, including the fine, and will seek a stay through the courts to pause the enforcement deadlines.”
A decade of legal battle
Meta’s decision to appeal the sanction will further lengthen a process that took its first steps a decade ago. In 2013, the then Austrian law student Max Schrems formally denounced Facebook for violating the rights of Europeans by allowing the US National Security Agency (NSA) to enter its databases without hindrance. Edward Snowden, a former analyst for the spy organization, just blew up the biggest mass surveillance scandal in history, and Schrems used that evidence to take the social network to court.
Two years later, what seemed impossible was confirmed: the CJEU agreed with the young Schrems, then 27 years old, annulling the agreement between the EU and the US for the transfer of personal data. An agreement that even then served as the legal basis for all the digital business between the two blocks, valued at billions of dollars.
The EU and the US reacted by ratifying a new treaty in less than a year. The new pact was called the “Privacy Shield” and it continued to allow the transfer of personal data from Europeans to the US. Therefore, it also gave US surveillance agencies a free hand to analyze them without the same judicial guarantees as in Europe due to the facilities approved by Washington.
Unless US surveillance laws are fixed, Meta will have to completely restructure its systems.
— Meta Whistleblower
It had happened once and it happened again. Schrems denounced the Privacy Shield and the CJEU knocked it down in 2021. The decision once again left up in the air the legality of data shipments to the US that not only Meta carries out, but practically all digital multinationals in the country. The affected companies, however, continued to transfer information based on agreements called “standard contractual clauses”.
Schrems, today honorary president of the pro-privacy NGO Noyb, has reported these shipments to privacy agencies throughout Europe, so that the coming months may leave a cascade of fines for this reason. In Spain, the Data Protection Agency is investigating Google Analytics for one of these Noyb complaints.
“We are pleased with this decision after ten years of litigation,” Schrems said on Monday. “The fine could have been much higher given that the maximum fine is over $4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws are fixed, Meta will have to completely restructure its systems.”
Washington and Brussels are currently negotiating a new treaty to regulate the exchange of personal data between the two blocs. As revealed by elDiario.es, the name of Schrems has become the main fear for both parties.
Ireland forced to act
The three years that have passed since Schrems’s complaint before the Irish Commission until the final fine also contain a background on the role that this country develops in the protection of data of citizens throughout Europe. At first, the agency defended that Meta’s practices should not be penalized.
The Irish Commission was then reprimanded from Brussels by the entity that groups the privacy agencies of the entire EU, which not only contravened its criteria but also ordered it to sanction Meta with a fine appropriate to the seriousness of the facts. The Irish body then went from defending that the American company should not be fined to imposing the largest amount in the history of European privacy.
There are many voices that have raised doubts about the role played by Ireland in these processes, since its Government maintains a policy of tax benefits that favors US digital multinationals establishing their headquarters in its territory. The situation has forced the EU to establish special surveillance of data protection investigations at a general level and propose changes to the GDPR to ensure that these resolutions are decided jointly from Brussels.
Nick Clegg has taken advantage of his statement to criticize the Irish resolution to denounce both the entity that brings together the European privacy agencies and the successive failed treaties that have left his company exposed to the historic fine. “This decision is wrong, unjustified and sets a dangerous precedent for the countless companies that transfer data between the EU and the US,” he said.