€ 1.2 billion GDPR fine for Meta over US mass surveillance. Decision required 10 years and 3 court procedures against Irish DPC.
Today, a decade-long (2013 – 2023) case on Meta’s involvement in US mass surveillance has lead to a first direct decision. Meta must stop any further transfers of European personal data to the United States, given that Meta is subject to US surveillance laws (like FISA 702). The EDPB had largely overturned the Irish DPC’s decision, insisting on a record fine and that previously transferred data must be brought back to the EU.
- As multiple media outlets have broken the DPC’s embargo for 12:00 CET, the following information is not embargoed anymore
- Press Release of the Irish DPC
- EDPB Decision in the Case
Major blow for Meta. Ever since Edward Snowden’s revelations on US big tech aiding the NSA mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland. For ten years, Meta has not taken any material precaution, but simply ignored the European Court of Justice (CJEU) and the European Data Protection Board (EDPB). Now Meta does not only have to pay a record fine of € 1.2 billion, but must also return all personal data to its EU data centers.
Max Schrems: “We are happy to see this decision after ten years of litigation. The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.“
FISA 702 subject to reauthorization. The current conflict between EU privacy laws and US surveillance laws are also a problem for all other large US cloud providers, such as Microsoft, Google or Amazon. The underlying US surveillance law (FISA 702) must be reauthorized by December 2023. The appetite for material changes may be larger for US big tech, now where there is the first major fine from EU data protection authorities. Numerous decisions from France, Italy and Austria found the use of US services unlawful, but did not include a major fine.
Max Schrems: “The simplest fix would be reasonable limitations in US surveillance law. There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance. It would be time to grant these basic protections to EU customers of US cloud providers. Any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law.”
Past violations – successful appeal unlikely. We expect Meta to file an appeal with the Irish and potentially the European Courts, however the chances to have this decision materially overturned are low: The CJEU has already decided that there was no valid legal basis for EU-US data transfers in two cases between 2007 and 2023. There is also no option for any new deal to legalize previous violations of the law.
Max Schrems: “Meta will appeal this decision, but there is no real chance to have this decision materially overturned. Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit.”
Future transfers: Meta’s hopes for new EU-US deal on shaky ground…