{"id":24400,"date":"2023-05-23T06:17:49","date_gmt":"2023-05-23T13:17:49","guid":{"rendered":"https:\/\/www.privateinternetaccess.com\/blog\/?p=24400"},"modified":"2024-01-25T02:12:23","modified_gmt":"2024-01-25T10:12:23","slug":"meta-gdpr-fine","status":"publish","type":"post","link":"https:\/\/www.privateinternetaccess.com\/blog\/meta-gdpr-fine\/","title":{"rendered":"Meta Hit With 1.2 Billion Euros Fine For Violating the GDPR \u2013 Time It Adopted a Federated Approach"},"content":{"rendered":"\n

Meta has been ordered to pay a fine of 1.2 billion euros<\/a> (around $1.3 billion) for violating the EU\u2019s General Data Protection Regulation<\/a> (GDPR) by sending personal data of EU citizens to the US, where it may be subject to mass surveillance. <\/p>\n\n\n\n

Even more significant than this penalty, the largest ever imposed under the GDPR, are the other obligations on Meta. The company must stop any further transfers of EU personal data to the US within five months. It must also cease \u201cunlawful processing, including storage\u201d in the US of EU personal data that has been transferred there in violation of the GDPR, within six months. Both of those will be hard to implement, and Meta is naturally trying to avoid doing so.<\/p>\n\n\n\n

Although the formal order comes from the problematic<\/a> Irish Data Protection Commission, which is the \u201clead supervisory authority\u201d on this case since Meta has its European headquarters in Ireland, the real power behind the decision is the European Data Protection Board (EDPB). In the EDPB\u2019s press release<\/a> on the move, the EDPB chair Andrew Jelinek was scathing:<\/p>\n\n\n\n

\n

The EDPB found that [Meta Platforms Ireland Limited]\u2019s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.<\/p>\n<\/blockquote>\n\n\n\n

Can Meta Dodge the \u20ac1.2 billion GDPR Fine?<\/h2>\n\n\n\n

The EDPB may be the driving force behind this \u201cstrong signal,\u201d but the person who started it all is the privacy expert Max Schrems, whose work has figured many times on PIA blog<\/a>. The fact that he began his fight<\/a> to stop Facebook sending EU personal data to the US ten years ago shows how slowly things move in the world of privacy law, and how successful Meta has been at dodging the consequences of its actions \u2013 and the company clearly hopes to continue in that vein.<\/p>\n\n\n\n

In response to the fine<\/a> Meta said: \u201cWe will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.\u201d The tech giant is also trying to divert attention from its own unlawful activities to more general issues. It argues that this is not about one company\u2019s privacy practices, but is just one facet of \u201ca fundamental conflict of law between the US government\u2019s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer.\u201d<\/p>\n\n\n\n

As reported on the PIA blog, there has indeed been a tension between the US government\u2019s desire to spy on non-US persons through Section 702 of the 2008 FISA Amendments Act<\/a> and the EU\u2019s focus on protecting online privacy, mostly notably in the form of the GDPR. That tension has resulted in a number of key judgments from the EU\u2019s top court, the Court of Justice of the European Union (CJEU). In particular, the CJEU struck down not one, but two frameworks to allow the legal transfer of EU personal data to the US \u2013 Safe Harbor<\/a> in 2015, then Privacy Shield<\/a> in 2020.<\/p>\n\n\n\n

Will the EU-US Data Privacy Framework Pass Legal Muster?<\/h2>\n\n\n\n

Meta\u2019s comment is referring to the third attempt to draw up rules for transatlantic data flows, known as the Data Privacy Framework<\/a>. However, we noted on the blog last year, it is by no means clear that the new framework will survive a challenge at the CJEU any better than its predecessors did. <\/p>\n\n\n\n

Max Schrems has already indicated that he is likely to bring such a challenge, and he does have a good track record for winning such cases. The European Parliament has also expressed its doubts<\/a>, concluding that \u201cthe EU-US Data Privacy Framework fails to create essential equivalence in the level of [privacy] protection\u201d.<\/p>\n\n\n\n

Meta complains that it has \u201cbeen singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.\u201d It is certainly true that the ruling will apply to other companies too, notably online giants such as Google and Microsoft. But Meta tries to paint the latest GDPR ruling as a disaster for the entire Internet:<\/p>\n\n\n\n

\n

Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.<\/p>\n<\/blockquote>\n\n\n\n

As a post on Schrems\u2019 noyb.eu site explains, that\u2019s not the case<\/a>:<\/p>\n\n\n\n

\n

The long term solution seems to be some form of \u2018federated social network\u2019 where most personal data would stay in the EU, while only \u2018necessary\u2019 transfers would continue \u2013 for example when a European sends a direct message to a US friend. While Meta only got a short implementation period to come up with a solution, it knew about the legal situation for ten years and was already served with a draft decision in 2022.<\/p>\n<\/blockquote>\n\n\n\n

Meta Already Has the Solution, It Just Doesn\u2019t Like It<\/h2>\n\n\n
\n
\"Homepage
Soon, your Facebook feed might look like this.<\/figcaption><\/figure>\n<\/div>\n\n\n

Meta has not only known for years about the possibility that it would be forced to keep EU personal data on EU servers, it has also been working on federated technologies that make it GDPR-compliant. As PIA reported a couple of months ago, Meta has a project known as P92<\/a>, which adopts the federated technology behind the Twitter alternative Mastodon. Given the size of Meta, it seems highly likely that it has already done work on federated versions of Facebook and its other services.<\/p>\n\n\n\n

Despite Meta\u2019s claims, the Internet is not under threat. But there is some hope that the current model of surveillance advertising<\/a> that is used as the main business model online, despite its almost total disregard for privacy, may finally be tackled under the GDPR. <\/p>\n\n\n\n

Schrems points out class actions against Meta may be possible following a recent judgment by the CJEU that allows people to claim \u201cemotional damages<\/a>\u201d for violations of their data protection rights, such as making them subject to US mass surveillance. In addition, the EU\u2019s Collective Redress Directive<\/a> will allow class actions for GDPR violations. So, even if the journey to this point has been long and slow, there are now some grounds for optimism that online privacy will improve in the coming years \u2013 first in the EU, then, as a consequence, elsewhere.<\/p>\n\n\n\n