Meta fine indicates EU losing patience, say data privacy campaigners

Order to delete data processed and stored unlawfully in US could be more problematic for Facebook owner than €1.2bn fine

The decision against Meta follows a complaint by privacy activist Max Schrems about the method being used by Facebook to transfer his personal data to the US
The decision against Meta follows a complaint by privacy activist Max Schrems about the method being used by Facebook to transfer his personal data to the US

The €1.2 billion fine imposed on Meta Ireland by the data-protection watchdog is not a case of Ireland being tough but rather Europe losing patience, data privacy campaigners have said.

The original draft decision from Irish Data Protection Commissioner (DPC) Helen Dixon did not include the financial penalty, but European watchdogs insisted on tougher sanctions. The European Data Protection Board’s dispute-resolution process also instructed the Irish authority to stipulate the return of data transferred from the European Union to the United States.

While the fine has been headline-grabbing, it is the order to delete data processed and stored unlawfully in the US that could be more troublesome for the social media giant, the Irish Council for Civil Liberties (ICCL) said.

“The fine is almost immaterial,” said Johnny Ryan, senior fellow with the ICCL. “Even a €1 billion parking ticket is of no consequence to a company that earns many more billions by parking illegally. When Facebook was fined $5 billion by the US Federal Trade Commission in 2019, its stock rose the following day.”

READ SOME MORE

He said, however, the order to delete the data would be very hard for Meta to carry out.

“Meta has such poor internal accounting of what data it has put where that this will be very hard, perhaps impossible,” he said.

The case is the result of 10 years of action from privacy activist Max Schrems, who brought his original complaint to data watchdogs in Ireland in 2013.

Mr Schrems said the fine could have been much higher, but said the decision was a “major blow” to Meta. “Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” he said.

“The simplest fix would be reasonable limitations in US surveillance law. There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance. It would be time to grant these basic protections to EU customers of US cloud providers.”

The latest data-protection decision could also spell trouble for other companies who work cross-border, such as Microsoft, Google or Amazon.

Irish business group Ibec said companies across several sectors had been operating with uncertainty as a result of the European Court of Justice (CJEU) ruling in 2020. “While we are still reviewing the decision, the situation since the CJEU ruling on the Schrems II case in 2020 has created uncertainty for firms, large and small, across several sectors, who rely on legitimate safeguards to enable secure international data transfers at a time when we need economic certainty,” said Erik O’Donovan, Ibec’s head of digital economy policy.

“We encourage the EU and US authorities to swiftly conclude ongoing work to deliver a revised and resilient framework for EU-US data exchange; this will address privacy issues as well as the needs of modern digitalised business.’’

The American Chamber of Commerce (Ireland) warned that many organisations do not have a readily available alternative data-transfer solution should the use of standard contractual clauses (SCCs) to transfer data between the EU and US no longer be an option. The mechanism has been used by many companies in the absence of a data transfer agreement between the two territories.

“Until such a time as a final agreement is reached, the use of SCCs is important in supporting the operations of businesses with operations in Ireland and the USA, supporting investment and jobs in the Irish economy,” the group said.

“It is estimated that there are over 950 US companies with operations in Ireland of various sizes, employing over 209,000 people directly and supporting a further 167,000 jobs in the Irish economy.”

Meta is widely expected to appeal, as it has with past penalties imposed by the DPC, as a new deal between the EU and US on data transfers is introduced. But that may only result in a delay of the payment of the fine for a while.

Mr Schrems said it was likely that the new deal would also be struck down by the European Court of Justice, as Privacy Shield and Safe Harbour had been before them “Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix,” he said. “Unless US surveillance laws gets fixed, Meta will likely have to keep EU data in the EU.”

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist