€1.2 billion GDPR fine for Meta over US mass surveillance

Today, a decade-long (2013 - 2023) case on Meta's involvement in US mass surveillance has led to a first direct decision. Meta must stop any further transfers of European personal data to the United States, given that Meta is subject to US surveillance laws (like FISA 702). The European Data Protection Board (EDPB) had largely overturned the Irish Data Protection Commission's (DPC) decision, insisting on a record fine and that previously transferred data must be brought back to the EU.

By noyb (guest author) · May 31, 2023

Major blow for Meta

Ever since Edward Snowden’s revelations on US Big Tech aiding the NSA mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland. For ten years, Meta has not taken any material precautions, but simply ignored the European Court of Justice (CJEU) and the EDPB. Now Meta does not only have to pay a record fine of € 1.2 billion, but must also return all personal data to its EU data centers.

The current conflict between EU privacy laws and US surveillance laws is also a problem for all other large US cloud providers, such as Microsoft, Google or Amazon. The appetite for material changes may be larger for US Big Tech, now where there is the first major fine from EU data protection authorities.

EDRi member noyb expects Meta to file an appeal with the Irish and potentially the European Courts, however the chances to have this decision materially overturned are low: The CJEU has already decided that there was no valid legal basis for EU-US data transfers in two cases between 2007 and 2023. There is also no option for any new deal to legalise previous violations of the law.

Future transfers: Meta’s hopes for new EU-US deal on shaky ground

For all future transfers, Meta now hopes to switch to a new EU-US data transfer deal. These hopes may however be shattered soon. It is not unlikely that the new deal will be invalidated by the CJEU – just like the two previous EU-US data deals (“Privacy Shield” and “Safe Harbor”). Such invalidations have retroactive effect.

Ten years, three court proceedings and millions in legal costs. The Irish DPC’s role in this procedure is exceptional, as it has consistently tried to block the case from going ahead. Overall these procedures lead to costs of more than 10 million Euro – the fine, however, will go to the Irish state.

Implementation period, no imminent stop of services. Previously, Facebook / Meta spread the rumour that it would stop providing services in Europe. Given that Europe is by far the biggest source of income outside of the US and Meta has already built local data centers in the EU, these announcements are hardly credible. While Meta only got a short implementation period to come up with a solution, it knew about the legal situation for ten years and was already served with a draft decision in 2022.

Further litigation may follow

Pending class action in the Netherlands. Under a recent judgement by the CJEU users may also be able to claim emotional damages for smaller violations of their data protection rights – such as making it subject to US mass surveillance. This will lead to claims that may far exceed today’s penalty. Furthermore, the EU’s Collective Redress Directive must also be implemented this summer, which will for the first time allow collective actions by European users for GDPR violations.

Contribution by: EDRi member, noyb