It’s finally happened: Meta, the company formerly known as Facebook, has been hit with a formal suspension order requiring it to stop exporting European Union user data to the US for processing.
Today the European Data Protection Board (EDPB) announced that Meta has been fined €1.2 billion (close to $1.3BN) — which the Board confirmed is the largest fine ever issued under the bloc’s General Data Protection Regulation (GDPR). (The prior record goes to Amazon which was stung for $887M for misusing customers data for ad targeting back in 2021.)
Meta’s sanction is for breaching conditions set out in the pan-EU regulation governing transfers of personal data to so-called third countries (in this case the US) without ensuring adequate protections for people’s information.
European judges have previously found US surveillance practices to conflict with EU privacy rights.
In a press release announcing today’s decision the EDPB’s chair, Andrea Jelinek, said:
The EDPB found that Meta IE’s [Ireland’s] infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.
At the time of writing the Irish Data Protection Commission (DPC), the body responsible for implementing the EDPB’s binding decision, had not provided comment. (But its final decision can be found here.)
Meta quickly put out a blog post with its response to the suspension order in which it confirmed it will appeal. It also sought to blame the issue on a conflict between EU and US law, rather than its own privacy practices, with Nick Clegg, president, global affairs, and Jennifer Newstead, chief legal officer, writing:
We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.
Back in April the adtech giant warned investors that around 10% of its global ad revenue would be at risk were an EU data flows suspension to actually be implemented.
Asked ahead of the decision what preparations it’s made for a possible suspension, Meta spokesman Matthew Pollard declined to provide “extra guidance”. Instead he pointed back to an earlier statement in which the company claimed the case relates to a “historic conflict of EU and US law” which it suggested is in the process of being resolved by EU and US lawmakers who are working on a new transatlantic data transfer arrangement. However the rebooted transatlantic data framework Pollard referred to has yet to be adopted.
It’s also worth noting that while today’s fine and suspension order is limited to Facebook, Meta is far from the only company affected by the ongoing legal uncertainty attached to EU-US data transfers. So pressure is likely to be amped up on lawmakers on both sides of the Atlantic to get the deal over the line.
The decision emerging out of the Irish DPC flows from a complaint made against Facebook’s Irish subsidiary almost a decade ago, by privacy campaigner Max Schrems — who has been a vocal critic of Meta’s lead data protection regulator in the EU, accusing the Irish privacy regulator of taking an intentionally long and winding path in order to frustrate effective enforcement of the bloc’s rulebook.
On the substance of his complaint, Schrems argues that the only sure-fire way to fix the EU-US data flows doom loop is for the US to grasp the nettle and reform its surveillance practices.
Responding to today’s order in a statement (via his privacy rights not-for-profit, noyb), he said: “We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
For its part, the DPC — which oversees GDPR compliance for multiple tech giants whose regional headquarters are sited in Ireland — routinely rejects criticism that its actions create a bottleneck for enforcement, arguing its processes reflect what’s necessary to perform due diligence on complex cross-border cases. It also often seeks to deflect blame for delays in reaching decisions onto other supervisors authorities that raise objections to its draft decisions.
However it’s notable that objections to DPC draft decisions against Big Tech have led to stronger enforcement being imposed via a cooperation mechanism baked into the GDPR — such as in earlier decisions against Meta and Twitter.
This suggests the Irish regulator is routinely under-enforcing the GDPR on the most powerful digital platforms and doing so in a way that creates additional problems for efficient functioning of the regulation since it strings out the enforcement process. (In the Facebook data flows case, for example, objections were raised to the DPC’s draft decision last August — so it’s taken some nine months to get from that draft to a final decision and suspension order now.) And, well, if you string enforcement out for long enough you may allow enough time for the goalposts to be moved politically that enforcement never actually needs to happen. Which, while demonstrably convenient for data-mining tech giants like Meta, does make a mockery of citizens’ fundamental rights.
As noted above, with today’s decision, the DPC is actually implementing a binding decision taken by the EDPB last month in order to settle ongoing disagreement over Ireland’s draft decision — so much of the substance of what’s being ordered on Meta today comes, not from Dublin, but from the bloc’s supervisor body for privacy regulators.
This apparently includes the existence of a financial penalty at all — since the Board notes it instructed the DPC to amend its draft to include a penalty, writing:
Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.
The applicable legal maximum penalty that Meta can be sanctioned with under the GDPR is 4% of its global annual turnover. And since its full year turnover last year was $116.61BN the maximum it could have been fined here would have been over $4BN. So the Irish regulator has opted to fine Meta considerably less than it could have (but still a lot more than it wanted to).
In further public remarks today, Schrems once again hit out at the DPC’s approach — accusing the regulator of essentially working to thwart enforcement of the GDPR. “It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland — the EU Member State that did everything to ensure that this fine is not issued,” he said.
So what happens next for Facebook in Europe?
Nothing immediately. The decision provides a transition period before it must suspend data flows — of around six months — so the service will continue to work in the meanwhile. (More specifically, Meta has been given a transition period of five months to suspend any future transfer of personal data to the US; and a six month deadline to stop the unlawful processing and/or storage of European user data it has previously transferred without a valid legal basis.)
Meta has also said it will appeal and looks to be seeking to stay implementation while it takes its arguments back to court.
Schrems has previously suggested the company will — ultimately — need to federate Facebook’s infrastructure in order to be able to offer a service to European users which does not require exporting their data to the US for processing. But, in the near term, Meta looks likely to be able to avoid having to suspend EU-US data flows since the transition period in today’s decision should buy it enough time for the aforementioned transatlantic data transfer deal to be adopted.
Earlier reports have suggested the European Commission could adopt the new EU-US data deal in July, although it has declined to provide a date for this since it says multiple stakeholders are involved in the process.
Such a timeline would mean Meta gets a new escape hatch to avoid having to suspend Facebook’s service in the EU; and can keep relying on this high level mechanism so long as it is stands.
If that’s how the next section of this torturous complaint saga plays out it will mean that a case against Facebook’s illegal data transfers which dates back almost ten years at this point will, once again, be left twisting in the wind — raising questions about whether it’s really possible for Europeans to exercise legal rights set out in the GDPR? (And, indeed, whether deep-pocketed tech giants, whose ranks are packed with well-paid lawyers and lobbyists, can be regulated at all?)
At the same time, legal challenges to the new transatlantic data transfer deal are expected and Schrems gives the EU-US pact a tiny chance of surviving legal review.
So Meta and other US giants whose business models hinge on exporting data for processing over the pond could find themselves back in this doom loop soon enough.
“Meta plans to rely on the new deal for transfers going forward but this is likely not a permanent fix,” Schrems suggested. “In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless US surveillance laws gets fixed, Meta will likely have to keep EU data in the EU.”
There is also the question of whether Meta will still be required to delete historical data transfers — since it did not have any legal basis for these transfers.
Any new transatlantic mechanism should only apply to future data flows, not past exports. So that could create an ongoing headache for Meta. Leaked internal documents have suggested it lacks proper controls over its internal ad data flows which could make complying with an order to selective delete Europeans’ data an expensive nightmare for the adtech giant.
How did we get here?
Schrems was acting in the wake of concerns kicked up back in 2013 after NSA whistleblower Edward Snowden spilled the beans on how US government surveillance programs were hoovering up user data from social media websites (aka PRISM), among myriad revelations about the extent of the mass surveillance practices in what came to be known as the Snowden disclosures.
That’s relevant because European law enshrines protections for personal data which Schrems suspected were being put at risk by US laws prioritizing national security and handing intelligence agencies sweeping powers to snoop on Internet users’ information.
His original complaints actually targeted a number of tech giants over alleged compliance with US intelligence agencies’ PRISM data collection programs. But in July 2013 two of the complaints, against Apple and Facebook, were flicked away by Ireland’s data protection authority as it accepted their registration with an EU-US data adequacy scheme that was in place at the time (Safe Harbor), arguing it dissolved any surveillance-based concerns.
Schrems appealed the regulator’s decision to the Irish High Court which made a referral to the Court of Justice of the EU (CJEU) — and that led, in October 2015, to the bloc’s top court striking down Safe Harbor after the judges ruled the data transfer deal was unsafe, finding it did not provide the required essential equivalence of the EU’s data protection regime for data exports to the US. That ruling came to be known as Schrems I. (Hang in there for Schrems II.)
A couple of months after the CJEU dropped its bombshell, Schrems refiled his complaint against Facebook in Ireland — asking the data protection authority to suspend Facebook’s EU-US data flows in light of what he dubbed the “very clear” judgement on the risk posed by US government surveillance programs.
At the same time, the toppling of Safe Harbor had led to a scramble by EU and US lawmakers to negotiate a replacement data transfer deal, since it wasn’t just Facebook that was implicated — thousands of businesses were affected by the legal uncertainty clouding data exports. And in a remarkably short time the two sides agreed and adopted (by July 2016) the EU-US Privacy Shield, as the replacement adequacy deal was (somewhat unfortunately) christened.
However, as befits a rush job, Privacy Shield was dogged from the get-go by concerns it was essentially just a sticking plaster atop a legal schism. In customary no-nonsense fashion, Schrems offered a more visceral description — branding it “lipstick on a pig“. And, well, to cut a long story short, the CJEU agreed — smashing the Shield to smithereens, in July 2020, in another landmark strike over the core clash between US surveillance law and EU privacy rights.
Thing is, Schrems had not actually challenged Privacy Shield directly. Rather, he’d updated his complaint in Ireland against Facebook’s data exports to target use of another, longer-standing data transfer mechanism, known as Standard Contractual Contracts (SCCs) — asking the Irish DPA to suspend Facebook’s use of SCCs.
The Irish watchdog again declined to do so. Instead it opted for the equivalent of saying ‘hold my beer’: Choosing to go to court to challenge the (general) legality of SCCs, as it said it was now concerned that the entire mechanism was unsafe.
The DPA’s legal challenge to SCCs essentially parked Schrems’ complaint against Facebook’s data flows while action switched to assessment of the whole data transfer mechanism. But, once again, this legal twist ended up blowing the doors off, as the Irish High Court went on to query whether Privacy Shield itself was bona fide in a new referral to the CJEU (April 2018). And, well, you should know what comes next: A couple of years on the answer from the bloc’s top judges was that this second claim of adequacy was deficient and so the mechanism was now also defunct. RIP Privacy Shield. (A sequential result known as Schrems II.)
Ah but Facebook was using SCCs not Privacy Shield to authorize these data transfers, I hear you cry! Thing is, while the CJEU did not invalidate SCCs the judges made it clear that where they are being used to export data to a so-called “third country” (such as the US) then EU data protection authorities have a duty to pay attention to what’s going on and, crucially, step in when they suspect people’s data is not adequately protected in the risky location… So the clear message from the CJEU was that enforcement must happen. Add to that, the fact the court had invalidated Privacy Shield over safety concerns flowing from US surveillance practices it was clear the country where Facebook routinely takes data was marked as unsafe.
This is a special problem for Facebook since the US adtech giant’s business model hinges on access to user data, in order that it can track and profile web users to target them with behavioral ads, so the tech giant was not in a position to apply extra safeguards (such as end-to-end encryption) which might otherwise be able to raise the level of protection on Europeans’ data exported to the US.
The upshot of all this was the issue was now impossible for Ireland to ignore — with US data adequacy vaporised and the alternative mechanism Facebook was relying on under CJEU-ordered scrutiny — and so, in short order (September 2020), news leaked to the press that the Irish DPA had sent Facebook’s parent, Meta, a preliminary order to suspend data flows.
This then kicked off a flurry of fresh legal challenges as Meta obtained a stay on the order and sought to challenge it in court. But these expected legal twists were complicated by yet another odd decision by the Irish regulator — which, at this time, elected to open a second (new) procedure while pausing the original one (i.e. Schrems’ long-standing complaint).
Schrems cried foul, suspecting fresh delaying tactics, and went on to obtain a judicial review of the DPA’s procedures too — which led, in January 2021, to the Irish DPA agreeing to swiftly finalize his complaint.
In May of the same year the Irish courts also booted Meta’s legal challenge to the DPC — lifting the stay on its ability to proceed with the decision-making process. So Ireland now had, er, no excuses not to get on with the job of deciding on Schrems’ complaint. This put the saga back into the standard GDPR enforcement rails, with the DPC working through its investigation over the best part of a year to reach a revised preliminary decision (February 2022) which it then passed to fellow EU DPAs for review.
Objections to its draft decision were duly raised by August 2022. And EU authorities subsequently failing to reach agreement among themselves — meaning it was left to the European Data Protection Board (EDPB) to take a binding decision (April 2023).
That then gave the Irish regulator a hard deadline of one month to produce a final decision — implementing the EDPB’s binding decision. Which means the meat of what’s been decided today can’t be credited to Dublin.
EU-US Data Privacy Framework as Meta escape hatch
That’s not all either. As noted above, there’s another salient detail that looks set to influence what happens in the near term with Meta’s data flows (and potentially lead to a Schrems III in the coming years): Over the past few years EU and US lawmakers have been holding talks aimed at trying to find a way to revive US adequacy following the CJEU’s torpedoing of Privacy Shield by, they claim, tackling the concerns raised by the judges.
At the time of writing, work to put this replacement data transfer deal in place is still ongoing — with adoption of the arrangement slated as possible during the summer — but the path to arrive at the new deal has already proven far more challenging than last time.
Political agreement on the aforementioned EU-U.S. Data Privacy Framework (DPF) was announced in March 2022; followed, in October, by US president Joe Biden signing an executive order on it; and, in December, the Commission announced a draft agreement on the framework. But, as noted above, the EU’s adoption process has not yet completed so there’s no over-arching high level framework in place for Meta to lock on to quite yet.
If/when the DPF does get adopted by the EU it’s a safe bet Meta will sign up and seek to use it as a new rubberstamp for its EU-US data flows. So this is one near-term route for Facebook to avoid having to act on the suspension order regardless of what happens with its legal appeal. (And, indeed, the company’s blog post today highlights its expectations for smooth running under the incoming framework, with Meta writing: “We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved. This will mean that if the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users.”)
But the legality of the DPF is almost certain to be challenged (if not by Schrems himself there are plenty of digital rights groups who might want to wade in.) And, if that happens it’s certainly possible the CJEU will, once again, find a lack of necessary safeguards — given we have not seen substantial reforms of US surveillance law since they last checked in, while various concerns have been raised by data protection experts about the reworked proposal.
The Commission claims the two sides have worked hard to address the CJEU’s concerns — pointing, for example, to the inclusion of new language they suggest will limit US surveillance agencies’ activity (to what’s “necessity and proportionality”), along with a promise of enhanced oversight and, for individual redress, a so-called “Data Protection Review Court”.
However, on the flip side, data protection experts query whether US spooks will really be working to the same definition of necessity and proportionality as EU law upholds, not least as some bulk collection remains possible under the framework. They also argued redress for individuals still looks difficult since decisions by the body that’s being framed as a court will be secret (nor is it as strictly independent from political influence as an actual legal court, they suggest).
And, as we’ve reported, Schrems himself remains sceptical. “We don’t think that the current framework is going to work,” he told journalists in a recent briefing ahead of the five year anniversary of the GDPR being applied. “We think that’s going to go back to the Court of Justice and will be another element that just generates a lot of tension between the different layers [of enforcement].” He also suggested that a comparison between the executive order Biden signed for the new arrangement and the earlier presidential policy directive, by president Obama, that was reviewed by the Court of Justice when they considered the legality of Privacy Shield, doesn’t show a lot of change, suggesting they’re “pretty much identical”.
“There are some new elements in the new technical order, also some improvements. But most of the stuff that is floated in press releases and public debate, that is new is actually not new. But has been there before,” he also argued. “So we oftentimes don’t really understand how that should change much but we’ll go back to the courts the next year or two, and we’ll then probably get to Court of Justice and we’ll have a third decision that will either tell us that everything is not cool and wonderful and we can move on or that we just are going to be stuck in that for longer.”
So, while — if you listen to the high level mood music — the framework contains substantial revisions to fix the legal schism. But we’ll only really know if that’s true if/when the CJEU gets to weigh in again in a few years’ time.
That means it’s certainly possible that EU-US adequacy could come unstuck again in the not too distant future. And that would fire up Facebook’s data transfer problem once again — thanks to the intrusive reality of US surveillance practices and the sweeping licence afforded to matters of national security over the pond which trample all over foreign (European) concepts of privacy and data protection.
The requirement for EU adequacy of essential equivalence to the bloc’s data protection regime represents a hard stop where a fudge won’t be able to stick forever. (And, well, the prospect of Donald Trump being elected US president again, in 2024, adds extra precariousness to DPF survival calculations.) But, well, that’s a story for the months and years ahead.
Ireland’s GDPR enforcement “bottleneck”
Returning to Schrems’ near-decade long battle for a decision on his complaint, as a case-study in delayed data protection enforcement this one is hard to beat. Indeed, it may represent a record for how long an individual has waited (at least if you ignore all the complaints where no action was taken by the regulator at all).
But it’s important to emphasize that the Irish DPC’s record on GDPR enforcement is under more general attack than the slings and arrows it’s received as a result of this particularly tortuous data flows saga. (Which even Schrems sounds like he’d quite like to see the back of at this point.)
Analysis on five years of the GDPR, put out earlier this month by the Irish Council for Civil Liberties (ICCL), dubs the enforcement situation a “crisis” — warning: “Europe’s failure to enforce the GDPR exposes everyone to acute hazard in the digital age and fingering Ireland’s DPA as a leading cause of enforcement failure against Big Tech.”
And the ICCL points the finger of blame squarely at Ireland’s DPC.
“Ireland continues to be the bottleneck of enforcement: It delivers few draft decisions on major cross-border cases, and when it does eventually do so other European enforcers routinely vote by majority to force it to take tougher enforcement action,” the report argues — before pointing out that: “Uniquely, 75% of Ireland’s GDPR investigation decisions in major EU cases were overruled by majority vote of its European counterparts at the EDPB, who demand tougher enforcement action.”
The ICCL also highlights that nearly all (87%) of cross-border GDPR complaints to Ireland repeatedly involve the same handful of Big Tech companies: Google, Meta (Facebook, Instagram, WhatsApp), Apple, TikTok, and Microsoft. But says many complaints against these tech giants never even get a full investigation — thereby depriving complaints of the ability to exercise their rights.
The analysis points out that the Irish DPC chooses “amicable resolution” to conclude the vast majority (83%) of cross-border complaints it receives (citing the oversight body’s own statistics) — further noting: “Using amicable resolution for repeat offenders, or for matters likely to impact many people, contravenes European Data Protection Board guidelines.”
The DPC was contacted for a response to the analysis but declined comment.
The ICCL has called for Commission to step in and tackle the GDPR enforcement crisis, warning: “The Commission’s forthcoming proposal to improve how DPAs cooperate may help but much more is required to fix GDPR enforcement. The ultimate responsibility for this crisis rests with the European Commissioner for Justice, Didier Reynders. We urge him to take serious action.”
Today’s final decision on Facebook’s data flows flopping out of Ireland, after almost a decade of procedural dilly-dallying — which, let’s not forget, has claimed the scalps of not one but two high level EU-US data deals thus far — won’t do anything to quell criticism of the Ireland as a GDPR enforcement bottleneck (regardless of helpful press leaks last week ahead of today’s Facebook data flows decision (and indeed today!), seeking to frame a positive narrative for the regulator with talk of a “record” fine but no mention of the EDPB’s role in binding the enforcement).
Indeed, the lasting legacy of the Facebook data flows saga, and other painstakingly extracted DPC under-enforcements against Big Tech’s systematic privacy abuses, is already writ large in the centalized oversight role of Big Tech that the Commission has taken on itself for the Digital Services Act and Digital Markets Act — a development that recognizes the importance of regulating platform power for securing the future of the European project.
All that said, Ireland’s data protection authority obviously can’t carry the can for all the myriad enforcement issues attached to the GDPR.
The reality is a patchwork of problems frustrate effective enforcement across the bloc as you might expect with decentralized oversight structure which factors in linguistic and culture differences across 27 Member States and varying opinions on how best to approach oversight atop big (and very personal) concepts like privacy which may mean very different things to different people.
Schrems’ privacy rights not-for-profit, noyb, has been collating information on this patchwork of GDPR enforcement issues — which include things like under-resourcing of smaller agencies and a general lack of in-house expertise to deal with digital issues; transparency problems and information blackholes for complainants; cooperation issues and legal barriers frustrating cross-border complaints; and all sorts of ‘creative’ interpretations of complaints “handling” — meaning nothing being done about a complaint still remains a common outcome — to name just a few of the issues it’s encountered.
“The reality is we have to tell people, in many cases, you have a right to complain, but the chances are that this is not going to help you and not going to fix your problem. And that is fundamentally an issue if we say we have a fundamental right to privacy, and there are all these authorities and we pump millions of Euros into them. And the answer we have to give to people is to say you can give it a try but very likely it’s not going to help you — and that is my biggest worry after five years of the GDPR that unfortunately that’s still the answer we have to give people,” says Schrems.
At the same time, Ireland does play an oversized role in GDPR enforcement on Big Tech — which in turn has an outsized impact on web users’ rights — which means the decisions it drafts and shapes (or, indeed, elects not to take) impact hundreds of millions of European consumers. So the level of scrutiny on Dublin is well merited.