We were expecting it, and it happened: Meta was ordered to shut down US data transfers for Facebook. The company was also fined €1.2 billion (yes, you read that right) for violating the GDPR’s data transfer rules.
The Irish Data Protection Commission (DPC) announced the decision today in a press release on its website. The full text is available on the website of the European Data Protection Board, along with the Board’s own decision that led to the fine. Unsurprisingly, Meta announced it will challenge the decision.
This case is a really big deal. The decision will likely have a deep impact on data transfer cases at a European level, and it might lead to a Facebook blackout for Europe in the near future. In other words, it’s well worth digging into.
Let’s dive in!
The story
The DPC’s inquiry on Facebook started three years ago and stems from a 2013 complaint from Max Schrems (yes, the guy from the Schrems I and II decisions). This decision has a decade-long story, so pack a lunch (or skip ahead- we won’t blame you).
It all started when NSA whistleblower Edward Snowden leaked confidential files on the agency’s operation, including large-scale electronic surveillance programs Upstream and Prism.
Snowden’s revelations prompted Schrems to file a complaint with the Austrian data protection authority against Facebook’s data transfers to the US. He claimed that personal data transferred to Facebook in the US were unsafe because of the massive scale and indiscriminate nature of electronic surveillance over foreign data from the US government.
The Austrian authority forwarded the complaint to Ireland, where Facebook (now Meta) has its main European subsidiary. This was the start of a never-ending legal battle in which Facebook tried to postpone a final decision in every way. For years the case went back and forth between the DPC, the Irish administrative courts, and the EU Court of Justice.
The Court of Justice adopted two ruling related to Schrems’ complaint, and both had a very important impact on European privacy law. In 2015 the Schrems I ruling invalidated the Safe Harbor agreement, which greatly simplified EU-US data transfers. A new agreement, known as the Privacy Shield, later replaced the Safe Harbor, but the Court again invalidated it in the 2020 Schrems II ruling.
The Schrems II ruling does not mean personal data cannot be sent to the US. It does, however, make it more complicated to transfer data lawfully. It’s a long story, and we already discussed it in detail. In a nutshell, data transfers to the US require extra safeguards compared to other countries to protect personal data against the risk of government access.
Unfortunately, these safeguards are difficult to implement and entirely impossible for certain services, including Facebook and Google Analytics. Therefore, using certain service providers is a GDPR violation, and companies relying on them are walking on thin ice with their data transfers.
After a decade and two landmark rulings, the DPC eventually drafted a decision to suspend Facebook’s data transfers and submitted it to the European Data Protection Board (the EU institution where all data protection authorities sit). The EDPB settled the matter last month and published its decision today, along with the DPC’s subsequent and final decision on the case.
Aside from Facebook, a lot more happened after Schrems II. Privacy NGO noyb (of which Schrems himself is a member) filed a strategic set of complaints against Google Analytics in an attempt to nudge European authorities towards strict application of the Schrems II ruling. This led to several authorities ruling against Google Analytics- practically banning it from their Member States.
Between the Facebook case and the Google Analytics decisions, it’s not surprising data transfers are a hot topic right now.
The decision
The legal content of the DPC’s decision is nothing new. The premises of the decision came directly from the Schrems II judgment and were already clarified by other authorities when dealing with Google Analytics:
- First, the US is not a safe destination for data transfers
- Second, standard contractual clauses (a contractual safeguard under the GDPR) are insufficient to protect personal data transferred to the US. Contracts with companies do not solve the real problem because they do not limit the government’s power to carry out surveillance
- third, when transferring data to the US, supplementary safeguards must be implemented on top of the safeguards generally required by the GDPR. This is the only way to keep personal data confidential.
The DPC found that Meta Ireland did not implement effective supplementary safeguards for its data transfers toward Meta Platforms in the US. Therefore, the data transfers are illegal under the GDPR.
While the legal content of the decision is in no way new, the case's high profile makes it a very important one.
The defendants in the Google Analytics cases were companies that used the service on their website. They were all small fry compared to Meta: a huge multinational company with vast resources, plenty of political influence, and a compliance business in the millions. Even the US government got involved in the case and filed submissions supporting Meta’s arguments.
And yet, Meta lost. Billions of revenue were at stake, yet the company could not secure data transfers to the US despite its enormous resources and know-how. This shows beyond all doubt that certain data transfers simply cannot be implemented in a GDPR-compliant way.
The involvement of the EDPB is also very important in this case. As we mentioned, there was some back-and-forth between the DPC and the EDPB, much like in the case of Meta’s targeted advertising (we wrote about it here).
No European authority objected to the DPC shutting down Meta’s data transfers. There was some disagreement on the fine (which the DPC did not want to impose) and on other aspects of the decision, which is why the EDPB got involved. Yet everyone agreed on the crucial point: Meta’s data transfers are illegal.
So the EDPB- and, by extension, European privacy authorities- found a common position on data transfers. This was already clear beforehand: as we explained, the EDPB played an indirect role in the decisions on Google Analytics by coordinating the response at a European level.
But with Meta the EDPB got involved directly and pushed for a ten-digit fine. The message has never been clearer: playtime is over. Now it’s time to take the GDPR seriously.
What happens next?
Meta now has six months to shut down its data transfers and erase the personal data already transferred to the US (the timeline is actually slightly more complicated, but that’s the gist of it).
As we explained not long ago, this does not mean that Facebook will shut down tomorrow. The possibility of a Facebook blackout in Europe is real, but it depends on some factors.
The EU and the US have taken steps towards a new data transfer framework (called the Trans-Atlantic Data Privacy Framework) between the EU and the US. Based on this framework, The EU Commission later drafted an adequacy decision for the US- that is, a decision that greenlights a country as a safe destination for data and makes data transfers much easier. The draft is pending Member State approval and is likely to pass (despite the overwhelmingly negative opinion of the European Parliament).
If approved before the deadline imposed by the DPC, the adequacy decision will save Meta by the bell.
If the decision is adopted later, things will be a bit more complicated for Meta. The company intends to challenge the decision and seek a stay for the DPC’s order. This could buy it some time, should the adequacy decision come too late.
So the much dreaded Facebook blackout ultimately depends on the timing of the adequacy decision and the outcome of Meta’s future legal actions.
Of course, there is more at stake than Facebook. Countless European companies are relying on US-based service providers, and not all of the required data transfers comply with the GDPR.
The future of EU-US data transfer ultimately depends on the Trans-Atlantic Data Privacy Framework. The picture is not too rosy: the EU Court of Justice already invalidated two such frameworks because they did not adequately protect European data, and the new framework will surely be scrutinized as well. In other words, Schrems III is already on the horizon.
It’s hard to say how Schrems III will play out: the new framework is certainly a step up from the past, but parts of it might still be problematic for the Court of Justice. And it certainly doesn’t help that the European Parliament voted against the draft by an overwhelming majority. While the Parliament’s vote is not binding, it could nudge the Court towards a stricter scrutiny of the new framework.
Bottom line: eight years after Schrems I, the future of EU-US data transfers is still uncertain.
Conclusions
It took a decade longer than it should have, but we are happy to see privacy law properly enforced against Meta finally.
We are also excited to tell you about this case on our blog! We hope that by keeping the legalese down to a minimum, we can make our audience as passionate about privacy law as we are.
Our passion for privacy is what brought Simple Analytics to life. We think we should all be respectful of privacy and try to do more with less personal data. When it comes to web analytics, Simple Analytics allows you to do just that by providing you with insights without collecting personal data at all. Privacy is our priority, not an afterthought.
We believe the internet should be an independent place that is friendly to website visitors. If this resonates with you, feel free to give us a try!