Overview

On September 5,2023,the European Commission announced a €1.2 billion fine against Meta (formerly Facebook) for transferring personal data of European Union citizens to the United states in violation of the General Data Protection Regulation (GDPR). The Commission alleges Meta failed to adequately protect user data from potential access by U.S. intelligence agencies.

the Commission’s Findings

The European Commission steadfast that Meta continued to transfer personal data to the U.S. despite the 2020 ruling by the Court of Justice of the European Union (CJEU) in the Schrems II case. This ruling invalidated the Privacy Shield framework, which previously allowed for the transfer of personal data between the EU and the U.S. The Commission found that Meta did not implement sufficient safeguards to protect EU citizens’ data once it reached the U.S., leaving it vulnerable to surveillance by U.S. authorities.

Specifically, the commission cited concerns about U.S. surveillance laws, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows U.S. intelligence agencies to collect data on non-U.S. citizens located outside the U.S. the Commission argued that these laws do not offer EU citizens equivalent protections to those they enjoy within the EU.

Comparison to Previous Fines

The Commission’s multibillion-euro fine falls short of the €4.34 billion fine the EU executive slapped on Google in 2018 over abuse of dominance related to Android mobile devices, but is higher than the €2.42 billion fine the firm faced for favoring its own comparison-shopping service in 2017. These fines demonstrate the EU’s willingness to impose notable penalties on tech companies for GDPR violations.

Parallel U.S. Legal Proceedings

The Commission’s decision comes as a parallel case before the U.S. courts will soon come to trial.in April 2023, a U.S. federal judge found that Google illegally maintained a monopoly in display search advertising, and a trial is scheduled to begin September 2023. This case, brought by the U.S.Department of Justice, further illustrates the increasing scrutiny of Big Tech’s market power and data practices on both sides of the Atlantic.

Meta’s Response and Potential appeals

Meta has stated its intention to appeal the European Commission’s decision. The company argues that it has taken steps to protect user data and that the Commission’s concerns are unfounded. Meta may seek to demonstrate that it has implemented technical and contractual safeguards to mitigate the risks associated with data transfers to the U.S. The appeal process coudl take several years to resolve.

Impact on Transatlantic Data Flows

This fine and the underlying legal issues have significant implications for transatlantic data flows. Many companies rely on the ability to transfer data between the EU and the U.S. for business operations. The invalidation of the Privacy Shield and the ongoing concerns about U.S. surveillance laws have created uncertainty for businesses. The EU and the U.S. are currently negotiating a new data transfer framework, but its success is not guaranteed.

The European Data Protection Board (EDPB) is also providing guidance to national data protection authorities on how to assess the risks associated with data transfers to the U.S. following the Schrems II ruling. Companies are expected to conduct thorough risk assessments and implement appropriate safeguards to ensure compliance with GDPR.