We were expecting it, and it happened: Meta was ordered to shut down US data transfers for Facebook. The company was also fined €1.2 billion (yes, you read that right) for violating the GDPR’s data transfer rules.
The Irish Data Protection Commission (DPC) announced the decision today in a press release on its website. The full text is available on the website of the European Data Protection Board, along with the Board’s own decision that led to the fine. Unsurprisingly, Meta announced it will challenge the decision.
This case is a really big deal. The decision will likely have a deep impact on data transfer cases at a European level, and it might lead to a Facebook blackout for Europe in the near future. In other words, it’s well worth digging into.
Let’s dive in!
The DPC’s inquiry on Facebook started three years ago and stems from a 2013 complaint from Max Schrems (yes, the guy from the Schrems I and II decisions). This decision has a decade-long story, so pack a lunch (or skip ahead- we won’t blame you).
It all started when NSA whistleblower Edward Snowden leaked confidential files on the agency’s operation, including large-scale electronic surveillance programs Upstream and Prism.
Snowden’s revelations prompted Schrems to file a complaint with the Austrian data protection authority against Facebook’s data transfers to the US. He claimed that personal data transferred to Facebook in the US were unsafe because of the massive scale and indiscriminate nature of electronic surveillance over foreign data from the US government.
The Austrian authority forwarded the complaint to Ireland, where Facebook (now Meta) has its main European subsidiary. This was the start of a never-ending legal battle in which Facebook tried to postpone a final decision in every way. For years the case went back and forth between the DPC, the Irish administrative courts, and the EU Court of Justice.
The Court of Justice adopted two ruling related to Schrems’ complaint, and both had a very important impact on European privacy law. In 2015 the Schrems I ruling invalidated the Safe Harbor agreement, which greatly simplified EU-US data transfers. A new agreement, known as the Privacy Shield, later replaced the Safe Harbor, but the Court again invalidated it in the 2020 Schrems II ruling.
The Schrems II ruling does not mean personal data cannot be sent to the US. It does, however, make it more complicated to transfer data lawfully. It’s a long story, and we already discussed it in detail. In a nutshell, data transfers to the US require extra safeguards compared to other countries to protect personal data against the risk of government access.
Unfortunately, these safeguards are difficult to implement and entirely impossible for certain services, including Facebook and Google Analytics. Therefore, using certain service providers is a GDPR violation, and companies relying on them are walking on thin ice with their data transfers.
After a decade and two landmark rulings, the DPC eventually drafted a decision to suspend Facebook’s data transfers and submitted it to the European Data Protection Board (the EU institution where all data protection authorities sit). The EDPB settled the matter last month and published its decision today, along with the DPC’s subsequent and final decision on the case.
Aside from Facebook, a lot more happened after Schrems II. Privacy NGO noyb (of which Schrems himself is a member) filed a strategic set of complaints against Google Analytics in an attempt to nudge European authorities towards strict application of the Schrems II ruling. This led to several authorities ruling against Google Analytics- practically banning it from their Member States.
Between the Facebook case and the Google Analytics decisions, it’s not surprising data transfers are a hot topic right now.
The legal content of the DPC’s decision is nothing new. The premises of the decision came directly from the Schrems II judgment and were already clarified by other authorities when dealing with Google Analytics:
- First, the US is not a safe destination for data transfers
- Second, standard contractual clauses (a contractual safeguard under the GDPR) are insufficient to protect personal data transferred to the US. Contracts with companies do not solve the real problem because they do not limit the government’s power to carry out surveillance
- third, when transferring data to the US, supplementary safeguards must be implemented on top of the safeguards generally required by the GDPR. This is the only way to keep personal data confidential.
The DPC found that the standard contractual clauses in place for the data transfer (including the newest clauses drafted in 2021 by the EU Commission) contain no effective safeguard against US surveillance. The DPC also held that Meta Ireland did not implement effective supplementary safeguards for its data transfers toward Meta Platforms in the US. Therefore, the data transfers are illegal under the GDPR.
While the legal content of the decision is in no way new, the case's high profile makes it a very important one.
The defendants in the Google Analytics cases were companies that used the service on their website. They were all small fry compared to Meta: a huge multinational company with vast resources, plenty of political influence, and a compliance business in the millions. Even the US government got involved in the case and filed submissions supporting Meta’s arguments.
And yet, Meta lost. Billions of revenue were at stake, yet the company could not secure data transfers to the US despite its enormous resources and know-how. This shows beyond any doubt that certain data transfers cannot be GDPR-compliant no matter what.
The involvement of the EDPB is also very important in this case. As we mentioned, there was some back-and-forth between the DPC and the EDPB, much like in the case of Meta’s targeted advertising (we wrote about it here).
Crucially, no European authority objected to shutting down Meta’s data transfers. There was some disagreement on the fine (which the DPC did not want to impose) and on other aspects of the decision, which is why the EDPB got involved. Yet everyone agreed on the crucial point: Meta’s data transfers are illegal.
So the EDPB found a common position on data transfers. This means that all EU privacy authorities did, because they are the people who sit in the EDPB.
This was already clear beforehand: as we explained, the EDPB played an indirect role in the decisions on Google Analytics by coordinating the response at a European level. But with Meta the EDPB got involved directly and even pushed for a ten-digit fine. The message has never been clearer: playtime is over. Now it’s time to take the GDPR seriously.
The fine itself is also an interesting aspect of the decision. Not only because it is enormous, but also because of how it was calculated. It was not based on the global annual turnover for Meta Platforms Ireland, but rather on that for the entire Meta group. So the fine against Meta Platforms Ireland was commensurate with the enormous amounts of money made by the entire group of companies under Meta- which is why the amount is so large!
If regulators stick to this approach in the future, multinational corporations will not be able to limit compliance risk by invoking the relatively small size of their European subsidiaries.
It is also worth noting that GDPR fines are capped to "only" 4% of a company’s global annual turnover. On the other hand, the new Digital Services Act and Digital Markets Act of the EU allow for fines as high as 6% and 10%, respectively. If regulators stick to the same approach, then we could see some seriously large fines in the future.
(Update: the new EDPB guidelines on the calculation of fines confirm this approach for GDPR violations)
What happens next?
Meta now has six months to shut down its data transfers and erase the personal data already transferred to the US (the timeline is actually slightly more complicated, but that’s the gist of it).
As we explained not long ago, this does not mean that Facebook will shut down tomorrow. The possibility of a Facebook blackout in Europe is real, but it depends on some factors.
The EU and the US have taken steps towards a new data transfer framework (called the Trans-Atlantic Data Privacy Framework) between the EU and the US. Based on this framework, The EU Commission later drafted an adequacy decision for the US- that is, a decision that greenlights a country as a safe destination for data and makes data transfers much easier. The draft is pending Member State approval and is likely to pass (despite the overwhelmingly negative opinion of the European Parliament).
If approved before the deadline imposed by the DPC, the adequacy decision will save Meta by the bell. But this looks tricky.
The new data transfer framework is based on a complex oversight system for US intelligence activities over foreign data. This system needs to be fully implemented before the adequacy decision can be finalized. For instance, the members of the Data Protection Review Court have not been named yet, and the EU has not been designated as a “qualifying state” (that is, an entity or international organization to which the system applies). It’s hard to say whether six months will suffice for the US to finish implementing the system, and for the Commission to finalize the adequacy decision.
If the decision is adopted later, things will be more complicated for Meta. The company intends to challenge the decision and seek a stay for the DPC’s order. This could buy the company some more time.
So the much dreaded Facebook blackout ultimately depends on the timing of the adequacy decision and the outcome of Meta’s future legal actions.
Of course, there is more at stake than Facebook. Countless European companies are relying on US-based service providers, and not all of the required data transfers comply with the GDPR.
The future of EU-US data transfer ultimately depends on the Trans-Atlantic Data Privacy Framework. The picture is not too rosy: the EU Court of Justice already invalidated two such frameworks because they did not adequately protect European data, and the new framework will surely be scrutinized as well. In other words, Schrems III is already on the horizon.
It’s hard to say how Schrems III will play out: the new framework is certainly a step up from the past, but parts of it might still be problematic for the Court of Justice. And it certainly doesn’t help that the European Parliament voted against the draft by an overwhelming majority. While the Parliament’s vote is not binding, it could nudge the Court towards a stricter scrutiny of the new framework.
Bottom line: eight years after Schrems I, the future of EU-US data transfers is still uncertain.
It took a decade longer than it should have, but we are happy to see privacy law properly enforced against Meta finally.
We are also excited to tell you about this case on our blog! We hope that by keeping the legalese down to a minimum, we can make our audience as passionate about privacy law as we are.
Our passion for privacy is what brought Simple Analytics to life. We think we should all be respectful of privacy and try to do more with less personal data. When it comes to web analytics, Simple Analytics allows you to do just that by providing you with insights without collecting personal data at all. Privacy is our priority, not an afterthought.
We believe the internet should be an independent place that is friendly to website visitors. If this resonates with you, feel free to give us a try!