European regulators hit Meta with a $1.3 billion fine on Monday, the largest ever brought under the European Union’s General Data Protection Regulation law and comes alongside orders that Meta must stop future transatlantic data transfers to the U.S. within five months.
The order has the potential to radically reshape Facebook’s business in Europe and throws into question the future of billions of data transfers made daily between U.S. companies and European counterparts, potentially leading the global tech industry toward a regime of data localization that closes off global trade and raises new security concerns.
At the center of how the penalties will ripple through the industry in the coming months is a pending agreement between EU and American officials on a new agreement regulating the transatlantic exchange of personal data for commercial purposes. Failure to reach an agreement could force Meta and other companies into ceasing data transfers with the European Union, requiring them to cordon off EU users from the rest of the world or potentially pulling services altogether.
“It puts tremendous pressure on the U.S. government and the European Council to move forward as quickly as possible,” said Caitlin Fennessy, vice president at the International Association of Privacy Professionals and former director of the U.S. Privacy Shield, the previous data transfer agreement between the EU and the United States that was invalidated in 2020.
“The impact of stopping transfers hits both EU and US companies and their economies,” she said, noting that 94% of IAPP’s members use the same form of the data transfer agreement as Meta.
The European Union and the U.S. first reached a privacy agreement in 2016 as a means of deeming the protection of the transfer of EU data adequate under GDPR. A 2020 Court of Justice of the European Union decision about a case challenging Facebook’s transfer of EU data invalidated the agreement.
Ireland’s Data Protection Commission issued Monday’s penalties against Meta after finding the company failed to comply with a 2020 EU court decision that invalidated a data transfer agreement between the U.S. and the European Union. The court case,
In March 2022, the U.S. and EU announced they had reached an agreement on a framework for a new deal but both parties are still ironing out details. Officials have said publicly they expect to finalize the agreement this summer, likely before the six-month deadline for Meta to come into compliance with the order.
Meta said in a statement that there would be no immediate disruption to Facebook and that it planned to appeal both the decision and the fine, seeking an immediate stay on deadlines for changes.
“Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans,” Nick Clegg, Meta president of global affairs, and Jennifer Newstead, Meta’s chief legal officer wrote in a blog on Monday. “It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.”
The ripple effects of the decision are likely to extend to many other tech companies with users in Europe. “This issue goes far beyond Meta; the time has come for the United States and the European Union to operationalize this agreement quickly, returning certainty to data flows that underpin transatlantic economic ties, society, and our international cooperation,” Sean Heather, senior vice president for International Regulatory Affairs and Antitrust at the U.S. Chamber of Commerce, wrote in a statement.
Another trade group, Computer & Communications Industry Association, warned that the decision “effectively makes the way the internet works illegal, from video conferencing and browsing the internet, to the processing of online payments.”
The order, while adding to Meta’s heavy tab of global fines for violating user privacy, also speaks to a larger conflict between the U.S. and the European Union over spying on European user data through digital surveillance programs. Specifically, in its decision to invalidate the last privacy shield, the CJEU expressed concerns about Section 702 of the Foreign Intelligence Surveillance Act, which allows for the warrantless searches of foreign persons, as well as Executive Order 12333, another foreign intelligence gathering authority.
The fine shows that U.S. surveillance programs “have real-world consequences for businesses. Data transfers from the EU are critical to thousands of businesses in the U.S., including small and medium-sized ones,” said Ashley Gorski, a staff attorney at the American Civil Liberties Union. “The DPC’s decision puts the legality of all those transfers in doubt.”
“This decision is about the NSA and U.S. law, not about Facebook’s practices,” Georgetown Law professor Anupam Chander tweeted on Monday.
The order by Ireland’s Data Protection Commission specifically points to concerns about how U.S. surveillance programs ensnare the data of European citizens. Regulators note that those concerns spread beyond Meta.
The regulators concluded that while Monday’s decision only applied to Meta Ireland it “exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.”
A new privacy framework would only provide a “bandaid” for those risks, Eduardo Ustaran, global co-head of the Hogan Lovells Privacy and Cybersecurity practice, during an online webinar Monday. He said that so long as companies are subject to U.S. surveillance programs, there’s little they can do to remedy the concern expressed by regulators.
“This is a test in a way that a company tried to do everything that was possible to do in terms of legal measures, organizational measures, technical measures — and despite all that still didn’t eliminate the risk that led to the enforcement action,” he said.
Last fall, the Biden administration created by executive order a new redress system for EU citizens who believe that U.S. intelligence collected their personal data in ways that violate American laws. However, DPC regulators found that since the review process is not yet in effect it didn’t remedy concerns in the complaint.
Moreover, there are questions if the surveillance reforms undertaken by the U.S. would fully satisfy concerns raised by the EU courts and privacy advocates, who have already expressed doubts about the surveillance reforms.
One of the programs that the Court of Justice of the European Union has raised significant concerns about, Section 702, is currently up for reauthorization. While reforms to the program are unlikely to occur before the European Commission makes its decision about the adequacy of a new data transfer agreement, the threat to U.S. businesses raised by Monday’s agreement could add to the urgency for reform.
“It was already clear that Congress needs to enact meaningful surveillance reform this year,” said Gorski. “The DPC’s decision makes that even clearer.”
Fennessy from IAPP said that the decision will force companies operating in the European Union to reevaluate their operations. “I think there is a big open question to the near-term effects this decision will have on their risk calculus,” she said. “There is now an immediate 1.2 billion price tag to the data transfers that happened and are happening now.”