It’s been a long time coming, but the decision by the Irish Data Protection Commission (DPC) to slap a €1.2 billion ($1.3 billion) fine on Facebook parent Meta and to order it to cease transfering user data from the EU to the US is a hefty shot across the bows of Big Tech.
Just how pivotal is this ruling? Well, just check out the weeping and wailing and threats to take Meta’s ball home from the company’s Apologist-in-Chief Nick Clegg:
This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US. We are…disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.
He went on:
We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects' data once the underlying conflict of law has been resolved. No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.
Bring a tear to a glass eye, that would. Poor, poor Company-Formerly-Known-As-Facebook, being picked on by the nasty regulators. But while you do dry your eyes at such a flagrant attempt to pick on Meta, it’s worth noting that Clegg’s being a little free in his assertion that “there will be no suspension of the transfers”.
What’s actually the case is that the DPC has given Meta some breathing space – why? – and ordered Meta Ireland to:
suspend any future transfer of personal data to the US within the period of five months.
That’s not exactly the same thing, is it, Nick? The clock is ticking and we can all hear it.
Irish plaudits deserved?
Mind you, the Irish DPC may not itself be entirely deserving of the plaudits it’s picked up in the EU for being tough here. Initially the regulators ruled that Meta didn’t need to be fined and acted in good faith by using legal transfer mechanisms to shift data across the Pond. That was over-ruled by a wider panel of EU data privacy regulators.
Some cynics inevitably point to the amount of inward investment by tech firms into Ireland as a contributory factor to seeming reluctance to bash a big stick. Whatever the case, it appears that the Irish Data Protection Commissioner Helen Dixon wasn’t keen on imposing the fine on Meta, arguing in case papers that:
I expressed the view, in the draft decision, that the imposition of an administrative fine would not render the [Data Protection Commission’s] response to the findings of unlawfulness any more effective. Nor did I consider that, in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would have any meaningful dissuasive effect.
In reality, hitting Meta on the bottom line, which is currently considerably less strong than it was even a year ago, is probably the only thing that is going to get proper attention. This was realized by the European Data Protection Board [EDPB] in Brussels, who countered:
The [EDPB] considers that, taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta [Ireland] committed an infringement of significant nature, gravity and duration. The EDPB takes the view that the imposition of an administrative fine in addition to the suspension order would have an important deterrence effect, which the imposition of a suspension order alone cannot have.
Rightly or wrongly, the unfortunate impression given here is that the Irish regulators seem more keen to err on the side of big-spending Big Tech than EU citizens. Plaudits here appear more deserved for Austria, France, Germany and Spain, whose representatives over-ruled the Irish.
Meta’s best bet now lies with the EU signing off on the proposed replacement for the hideously flawed Privacy Shield, struck down in the summer of 2020. That was agreed in principle between EU and US leaders last year, but is still sitting waiting for sign-off by European authorities, with many lawmakers concerned that its safeguards around data privacy aren’t robust enough. Will five months be enough to get it over the line?
Both the EU Parliament and the European Data Protection Board have expressed ongoing worries around US surveillance laws, which do not prohibit bulk collection of EU citizen data, the lack of any Federal level data protection legislation, and the need to establish a Data Protection Review Court, without which the EU is unlikely to proceed.
In the US, the Computer & Communications Industry Association is calling for more speed in ratifying the proposed new transfer arrangements, with President Matt Schruers arguing:
To keep data flowing between the US and EU, and to preserve the strength of our mutually beneficial trading relationship, prompt implementation of President Biden’s executive order is vital.
In London, Ruth Boardman, a partner at law firm Bird & Bird, reckons, in a very thorough summary of the situation, that there’s a good chance that Meta may well be saved by a new US-EU transfer arrangement being agreed before the situation escalates further:
While the precise timing for approval is unclear, the Framework is expected to be approved in the coming months. It therefore seems likely that the new Framework will be approved before the orders relating to Facebook take effect – especially if the Irish Court hearing Facebook’s appeal grants Facebook a stay of the Order, while the appeal is heard.
In the meantime, privacy activists are understandably happy with the latest developments. Amnesty International said it welcomes the judgment:
Meta’s entire business model is predicated on a systematic assault on our right to privacy. This judgment sends an important signal that these abuses can no longer be tolerated.
While, as noted above, this has been a long time coming – and frankly couldn’t have happened to a more deserving case – there are wider implications here for the tech sector, both in the US and the EU, if there isn’t a robust data transfer framework available to companies in both regions. While many vendors do have in-country or in-region data centers, for others the cost of doing business might well prove prohibitive. That’s not good news for Europe or the potenial Balkanization of the digital economy.
Mind you, the threats from Meta to take Facebook and Instagram out of Europe aren’t exactly an appealing prospect for Mark Zuckerberg and Co either, nor do they carry the weight they once did perhaps, given the current financial health of Meta. In its most recent regulatory filings, the firms said that without some mechanism in place for data transfers, it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe”. That would hurt at a time when the company has enough self-inflicted wounds to deal with.
So, all eyes on the European Commission now, where the party line from the Eurocrats in charge is that the framework can be signed off in time:
We expect this data protection framework between the EU and the US to be fully functionable by the summer. This will guarantee stability and legal certainty.
That’s the administrative will. Trouble is, that’s in direct conflict with a lot of political won’t.
One last thought - if EU and US authorities had actually put some serious effort into finding a robust data transfer framework before Safe Harbor was declared unsafe, rather than cobbling together the PR-friendly, but utterly inadequate Privacy Shield once the previous arrangements had collapsed because egos on both sides ruled the day, then we might not still be having to have these discussions!