Meta Hit With 1.2 Billion Euros Fine For Violating the GDPR – Time It Adopted a Federated Approach

Posted on May 23, 2023 by Glyn Moody
Facebook is on the hook for EU-US data transfers.

Meta has been ordered to pay a fine of 1.2 billion euros (around $1.3 billion) for violating the EU’s General Data Protection Regulation (GDPR) by sending personal data of EU citizens to the US, where it may be subject to mass surveillance.

Even more significant than this penalty, the largest ever imposed under the GDPR, are the other obligations on Meta. The company must stop any further transfers of EU personal data to the US within five months. It must also cease “unlawful processing, including storage” in the US of EU personal data that has been transferred there in violation of the GDPR, within six months. Both of those will be hard to implement, and Meta is naturally trying to avoid doing so.

Although the formal order comes from the problematic Irish Data Protection Commission, which is the “lead supervisory authority” on this case since Meta has its European headquarters in Ireland, the real power behind the decision is the European Data Protection Board (EDPB). In the EDPB’s press release on the move, the EDPB chair Andrew Jelinek was scathing:

The EDPB found that [Meta Platforms Ireland Limited]’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.

Can Meta Dodge the €1.2 billion GDPR Fine?

The EDPB may be the driving force behind this “strong signal,” but the person who started it all is the privacy expert Max Schrems, whose work has figured many times on PIA blog. The fact that he began his fight to stop Facebook sending EU personal data to the US ten years ago shows how slowly things move in the world of privacy law, and how successful Meta has been at dodging the consequences of its actions – and the company clearly hopes to continue in that vein.

In response to the fine Meta said: “We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.” The tech giant is also trying to divert attention from its own unlawful activities to more general issues. It argues that this is not about one company’s privacy practices, but is just one facet of “a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer.”

As reported on the PIA blog, there has indeed been a tension between the US government’s desire to spy on non-US persons through Section 702 of the 2008 FISA Amendments Act and the EU’s focus on protecting online privacy, mostly notably in the form of the GDPR. That tension has resulted in a number of key judgments from the EU’s top court, the Court of Justice of the European Union (CJEU). In particular, the CJEU struck down not one, but two frameworks to allow the legal transfer of EU personal data to the US – Safe Harbor in 2015, then Privacy Shield in 2020.

Will the EU-US Data Privacy Framework Pass Legal Muster?

Meta’s comment is referring to the third attempt to draw up rules for transatlantic data flows, known as the Data Privacy Framework. However, we noted on the blog last year, it is by no means clear that the new framework will survive a challenge at the CJEU any better than its predecessors did.

Max Schrems has already indicated that he is likely to bring such a challenge, and he does have a good track record for winning such cases. The European Parliament has also expressed its doubts, concluding that “the EU-US Data Privacy Framework fails to create essential equivalence in the level of [privacy] protection”.

Meta complains that it has “been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.” It is certainly true that the ruling will apply to other companies too, notably online giants such as Google and Microsoft. But Meta tries to paint the latest GDPR ruling as a disaster for the entire Internet:

Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.

As a post on Schrems’ site explains, that’s not the case:

The long term solution seems to be some form of ‘federated social network’ where most personal data would stay in the EU, while only ‘necessary’ transfers would continue – for example when a European sends a direct message to a US friend. While Meta only got a short implementation period to come up with a solution, it knew about the legal situation for ten years and was already served with a draft decision in 2022.

Meta Already Has the Solution, It Just Doesn’t Like It

Homepage of Mastodon Social
Soon, your Facebook feed might look like this.

Meta has not only known for years about the possibility that it would be forced to keep EU personal data on EU servers, it has also been working on federated technologies that make it GDPR-compliant. As PIA reported a couple of months ago, Meta has a project known as P92, which adopts the federated technology behind the Twitter alternative Mastodon. Given the size of Meta, it seems highly likely that it has already done work on federated versions of Facebook and its other services.

Despite Meta’s claims, the Internet is not under threat. But there is some hope that the current model of surveillance advertising that is used as the main business model online, despite its almost total disregard for privacy, may finally be tackled under the GDPR.

Schrems points out class actions against Meta may be possible following a recent judgment by the CJEU that allows people to claim “emotional damages” for violations of their data protection rights, such as making them subject to US mass surveillance. In addition, the EU’s Collective Redress Directive will allow class actions for GDPR violations. So, even if the journey to this point has been long and slow, there are now some grounds for optimism that online privacy will improve in the coming years – first in the EU, then, as a consequence, elsewhere.