The case is about Facebook’s involvement in mass surveillance by Anglo-American secret services, which was uncovered by US whistleblower Edward Snowden.
The US Facebook group Meta has received a record fine of 1.2 billion euros for violating the European General Data Protection Regulation (GDPR) and must stop the transfer of personal European data to the USA in the future. This was decided by the Irish Data Protection Authority (DPC) on Monday. Ten years after a corresponding complaint, she agreed with the Viennese data protection activist Max Schrems.
The fine imposed by the DPC dwarfs the previous record fine of 746 million euros for Amazon.com in Luxembourg. The case concerned Facebook’s involvement in mass surveillance by Anglo-American secret services, which was uncovered ten years ago by US whistleblower Edward Snowden.
The Irish authority is responsible because Facebook has its European headquarters in the Western European EU country. For years she had built the wall for the IT giant and refused to take any action. The European Data Protection Board (EDPB) had to oblige her to make the decision now. Against this background, Schrems described it as “absurd” that Ireland was awarded the current record fine.
Legal proceedings could take years
Experts assume that the US group will appeal the decision. However, court proceedings can take years. By then, a new data pact could come into force between the European Union and the USA, which would regulate transatlantic data traffic. Meta had previously threatened to withdraw completely from the EU if transatlantic data transfer was not permanently possible.
“We are happy about this decision after ten years of litigation,” Schrems commented on the decision. However, the fine “could have been much higher” since the maximum penalty is four billion euros. “Meta knowingly violated GDPR for ten years to make a profit.” If US surveillance laws are not changed, “Meta will probably have to fundamentally restructure its systems,” Schrems spoke of the creation of a “federal” social network in which most of the data of European users will remain in European data centers, with the exception of contacts with US users. He does not believe that Meta will withdraw from Europe because the continent is of great economic importance for the group.
Schrems also gives “no real chance” to the likely appointment of Meta. Previous violations of the law cannot be remedied by a new EU-USA data agreement. “At best, you can delay paying the fine a little,” says Schrems. Hopes for the new EU-US data agreement are also likely to be dashed soon. “It is not unlikely that the new agreement will also be declared invalid by the ECJ – just like the two previous data agreements between the EU and the USA (“Privacy Shield” and “Safe Harbor”),” the Viennese lawyer said of the new contract “perhaps a ten percent chance of not being overturned by the ECJ”.
Schrems also sees the decision as groundbreaking for other American IT giants such as Amazon, Google or Microsoft, which offer cloud solutions to European users. Each of these providers could be “affected by a similar penalty under EU law,” says Schrems. The simplest solution to the problem would be “reasonable safeguards in US law”. Legal surveillance requires reasonable suspicion and approval from a judge. According to US law, however, this only applies to its own citizens. “It would be time to grant this basic protection to EU customers of US cloud providers as well,” said Schrems.
Instagram and WhatsApp are also affected
The current decision only relates to Facebook, not to other services from the meta group such as Instagram or WhatsApp. However, Meta had already been fined 390 million euros by the DPC in January because Facebook and Instagram users had been forced to agree to personalized advertising. This decision was also made at the instigation of the Viennese data protection NGO noyb.
Meta top managers Nick Clegg (President Global Affairs) and Jennifer Newstead (Chief Legal Officer) described the DPC’s decision as “incorrect and unjustified” in an initial reaction. It sets a dangerous precedent for the countless other companies that transfer data between the EU and the US. “The decision also raises serious questions about a regulatory process that allows the European Data Protection Board to overrule a lead regulator in this way, disregarding the findings of its multi-year investigation, without giving the affected company the right to be heard.”
So far, fines of four billion euros have been imposed with the new penalty for Meta since the General Data Protection Regulation came into force five years ago. Meta is now represented six times in the list of the ten highest fines, the penalties now total 2.5 billion euros.
(WHAT)