Meta has received the largest GDPR fine to date: €1.2 billion. But the company is also subject to two orders: To stop unlawfully transferring personal data from the EU to the US and to stop unlawfully storing EU personal data in the US.
The 216-page Meta decision comes from the Irish Data Protection Commission (DPC)—but only after fellow regulators at the European Data Protection Board (EDPB) forced Ireland to impose harsher sanctions than planned.
This article will unpack this complicated and long-running decision and consider whether Meta can meet the terms of the order without pulling out of the EU altogether.
The Background
This decision comes with a lot of baggage.
A good place to start is in 2013 when Edward Snowden revealed the full extent of US intelligence services’ surveillance operations.
This prompted privacy campaigner Max Schrems to complain to the Irish DPC about how Facebook transferred his personal data from the EU to the US.
Schrems I and II
Schrems’ complaint ended up as a 2015 court case known as “Schrems I”.
In this case, the Court of Justice of the European Union (CJEU) assessed a certification framework called “Safe Harbor”, which many companies used to transfer personal data from the EU to the US.
Safe Harbor was implemented via an “adequacy decision”—an EU legal instrument that greenlights data transfers to a given country. It’s possible to make a data transfer to a “non-adequate” country, but you must normally have another safeguard in place.
The CJEU found that Safe Harbor was illegal as it did not protect personal data from US intelligence services.
So the EU and the US negotiated a new framework to replace Safe Harbor, called “Privacy Shield”.
Schrems took Facebook to court again. In the resulting July 2020 case known as “Schrems II”, the CJEU examined Privacy Shield. Again, the court found that the framework was illegal as it did not protect personal data from US intelligence services.
The EU and the US are working on a third framework, known as the “EU-US Data Privacy Framework” (EU-US DPF). We’ll return to this later.
But it turns out Facebook was not exclusively relying on Privacy Shield. The company used another transfer safeguard known as “standard contractual clauses” (SCCs).
The CJEU did not say the SCCs were illegal. But the court did say that SCCs were not always enough to protect personal data from US intelligence services.
As such, following Schrems II, any company using SCCs must ensure they are effective. If not, the company must put other “supplementary measures” in place to make sure governments cannot access the personal data being transferred.
If this isn’t possible, the transfer can’t proceed.
The Decision
After Schrems II, the CJEU returned Schrems’ case to the Irish courts, which asked the Irish DPC to implement the decision against Meta.
After several years of debate with the EDPB, the Irish DPC has finally adopted one of the most important (if predictable) GDPR decisions yet.
The Finding
Despite the CJEU’s judgment in Schrems II, Facebook (now Meta) continued using SCCs to transfer personal data from the EU to the US.
And according to the Irish DPC, Meta did not implement any “supplementary measures” to prevent the US government from accessing EU personal data.
This means all the personal data Meta transferred to the US since July 2020 was transferred illegally.
As such, the DPC found that Meta had violated Article 46(1) of the GDPR, which states that:
“…a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
The Orders
Having found that Meta violated the GDPR, the Irish DPC issued three “corrective measures”. Meta must:
- Stop illegally transferring personal data to the US within five months.
- Stop illegally processing the personal data it transferred to the US since July 2020, within six months.
- Pay a €1.2 billion fine.
Let’s look at how Meta might deal with each of these three orders.
The Transfer ‘Suspension Order’
Meta has to stop unlawfully transferring EU Facebook users’ data to the US within six months. How will it do this?
While it seems clear that Meta didn’t comply with the international data transfer rules, it’s not obvious how the company could have done so while still maintaining EU-based users.
There are ways to keep transferred personal data secure from government access. For example, if Meta had encrypted the personal data and did not have access to the key required to decrypt the data, the data would be considered safe, and the transfer would be legal.
But there’s not much Meta can do with encrypted data. A platform like Facebook requires the operator to have access to unencrypted data.
So what’s next? Meta has data centres in the EU and can afford to buy more if required. Can the company simply keep EU users’ personal data exclusively in European data centres?
There are two main reasons this might not work.
Legal Issues
US national security law gives the country’s intelligence services very broad powers to access personal data held by US companies.
In a 2015 case known as Microsoft v United States, the US government had requested that Microsoft hand over data stored in Ireland by Microsoft’s Irish subsidiary.
Microsoft refused, arguing that the law did not require the company to provide access to data stored outside the US. The case ended up at the US Supreme Court.
But before the Supreme Court decided the case, the US government changed the law by passing the CLOUD Act. The CLOUD Act clarifies that US companies still need to hand over data stored overseas.
In the end, the government issued a new order under Microsoft under the CLOUD Act, and Microsoft dropped the case.
This suggests Meta’s problems might not be solved solely by housing EU users’ data in Europe. Every time the US government requested access to users’ data (which happens a lot), Meta might need to violate EU law to comply with US law.
Technical Issues
It’s possible to run an EU-only social network that does not transfer personal data out of Europe. But Facebook is a global operation, and many EU users enjoy interacting with people in the US and elsewhere.
Would it be possible for an EU user to join a Facebook group with US users or buy a product from a US-based Facebook vendor without a “data transfer” occurring?
A data transfer requires at least two organisations. One transfers the data to another. A business—even a business based in the US—that collects personal data directly from an individual is not engaged in a “data transfer”.
The transfers at issue in this case were from Meta Platforms Ireland to Meta Platforms Inc. (the company’s US entity).
If Meta Platforms Ireland administered all data about EU Facebook users, including interactions with non-EU users, it might be technically feasible to run Facebook without transferring any EU users’ data.
But there’s a complication here, too.
In another CJEU case known as “Fashion ID”, the court found that businesses running Facebook pages are “controllers” under the GDPR and are jointly responsible for GDPR compliance with Facebook.
As such, a “transfer” could occur any time an EU user interacts with a non-EU company’s Facebook page—even if the user’s personal data is stored in Europe and managed by Meta Platforms Ireland.
The ‘Stop Processing’ Order
In addition to stopping its data transfers, Meta must stop processing the personal data it has illegally transferred since July 2020.
The order specifies that “processing” includes “storing”. There is some discussion in the EDPB’s binding decision about the implications of this order.
Meta has not indicated how much data was subject to illegal transfers. However, it is established that the case involved the “bulk, repetitive and ongoing” transfer of millions of users’ data.
There are only two clear options for Meta to stop storing personal data in the US: “return” the data or delete it.
It’s not entirely clear what “returning” the personal data would look like, but the obvious interpretation would be to ensure all EU users’ personal data is stored in EU-based data centres by Meta Platforms Ireland. We looked at some potential issues with this solution above.
Meta’s allegedly chaotic approach to data governance might prevent the company from properly distinguishing EU users’ data. Furthermore, a strict delineation between EU and non-EU user data might be altogether impossible, given the GDPR’s broad definition of “personal data”.
That would leave Meta with one option: Delete all EU Facebook data transferred since July 2020.
If this is possible, it might require the erasure of all EU users’ posts, messages, photos, account details—any sign that an EU user had used the platform after July 2020 would need to be scrubbed.
The Fine
The Irish DPC initially proposed that no fine should be issued against Meta. After the EDPB dispute resolution process, the company was handed by far the largest penalty in GDPR history—€1.2 billion.
While this large penalty has made headlines, and Meta intends to appeal it, the fine is less consequential than the “transfer suspension” and “stop processing” orders explored above.
€1.2 billion is just over 1% of Meta’s €116.6 billion turnover for the relevant period—even combined with the other roughly €1.3 billion in GDPR fines that the company has received over the past two years.
Meta’s poor track record with GDPR compliance has cost the company a lot, but the savings and earnings achieved by flouting the law likely outstrip the fines—for now.
What Happens Next?
As noted, Meta is no stranger to privacy and data protection issues. But it’s important to note that Meta is far from the only business implicated by the DPC’s decision.
US-based service providers dominate the internet. Each is subject to the same laws as Meta, and each faces the same technical challenges in safeguarding personal data from the US authorities.
But it’s the EU companies using such services that are normally liable under the GDPR, as we know from the multiple cases against European websites running Google Analytics.
A solution might be around the corner if the EU adopts the EU-US Data Privacy Framework (EU-US DPF). This scheme would replace the earlier “Safe Harbor” and “Privacy Shield” frameworks and could be relied upon by Meta (and others) to make its data transfers lawful.
But the EU-US DPF might only provide temporary relief. Some EU bodies have indicated that they are not happy with the framework. And Max Schrems has indicated that he intends to challenge the new framework at CJEU.
Based on Schrems’ past performance in defeating transatlantic data transfer frameworks, his case against the EU-US DPF is likely to win. This would leave Meta back where it started—together with all other US businesses and their EU clients.
We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!