Meta was just fined a whopping €1.2 billion by Ireland’s data protection authority for unlawful data transfers. There’s a problem, though. The deadline for Meta’s obligation to legalize its data transfers is 6 months, and the new EU-US data transfer agreement will be signed before that.
The new data transfer, dubbed the Data Privacy Framework (DPF) is set to harmonize the GDPR legislation and the US data collection. Once that data agreement is signed, all of Meta’s “unlawful” data transfer becomes lawful, all of a sudden.
What’s more, Meta can also appeal the fine under the Irish law and at the European Court of Justice.
Estelle Massé, a campaigner at digital privacy NGO Access Now, told EUobserver that “This decision might not mean much for people’s rights. In practice, it would that actually Facebook would have to do ntohing, because they would have a new legal basis under which the data can move to the US and stay there.“
Theoretically, Facebook would either have to delete vast amounts of user data or move it back from the US on European grounds. But this might not be necessary after the DPF is validated.
Massé also claims that “They’ve been setting aside money for some time now in preparation for this fine. Based on what they told their investors just a month ago, and what they were expecting from ths fine, I’m expecting Facebook stock to go up today.“
Meta knew this fine would be coming because it received ample warnings from European GDPR regulators over the years. Even if they have to pay the full sum, they’re more than prepared to shoulder it.
But in all likelihood, according to the newest sources, they’ll find a way out of this predicament.
Massé herself accepts the irony of this ruling, effectively giving Meta 6 months to delete the data or be fined, while the new EU-US DPF would overrule all of it.
However, Max Schrems, a privacy campaigner, said that “Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix. In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless US surveillance laws get fixed, Meta will likely have to keep EU data in the EU.“
The GDPR Is Unabated in Upholding User Privacy
Over the years, Ireland has faced a lot of scrutiny from privacy activists who claimed that the GDPR as becoming lax in its promises of data privacy enforcement.
And Ireland, which houses the regional headquarters of Meta, Twitter, TikTok, Microsoft and Apple, was at the center of these privacy scandals.
In this particular case, a board of representatives for EU countries overruled the Irish authorities and enforced the €1.2 billion fine on Meta.
Andrea Jelinek, the chairwoman of the European Data Protection Board, said that “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.“
It remains to be seen whether will actually pay this fine, delete its user data, or not do anything at all as it waits for the new Data Protection Framework to come into effect.