Meta’s fine has repercussions for EU-US data flows
The €1.2bn fine on Meta this week is the biggest ever imposed under EU data protection rules. The Facebook owner hardly has a blameless record, and has been fined before over lax privacy protections, including $5bn by US regulators in 2019 over the Cambridge Analytica scandal. Yet in this case Meta — like scores of other companies — is caught in a mismatch between EU and US law. The decision against it signals in effect that there is no functioning legal basis for Meta to do what it has been doing: transferring EU user data to the US. Unless a new attempt to create a framework to bridge the legal gap succeeds, the implications for tech firms, consumers and the internet are far-reaching.
The crux is that EU law since 1995 has prohibited transfers of personal data to third countries unless they offer “adequate” levels of data protection. But the EU imposes much higher protections than the US, reinforced by its 2018 General Data Protection Regulation and a charter of fundamental rights. As the Snowden leaks of US intelligence a decade ago exposed, it is easier under US legislation for law enforcement agencies to access users’ data — and more difficult for consumers to seek redress.
The European Court of Justice has struck down two successive EU-US frameworks designed to facilitate legal personal data transfer — Safe Harbor, and Privacy Shield — after challenges to Facebook’s practices by an Austrian privacy activist, Max Schrems.
The court found US laws did not satisfy requirements that were “essentially equivalent” to those required under EU law. Facebook continued transfers on the basis of contractual clauses endorsed by the European Commission, though the ECJ also raised questions over these in 2020. After further complaints from Schrems, the Data Protection Commission in Ireland — home of Meta’s European HQ — found against the use of these clauses. It did not recommend a fine, but other European regulators overruled it in consultations.
Meta has been given five months to suspend data transfers to the US, and six months to stop any processing of EU citizens’ data previously sent there. Some European campaigners say regulators should have gone further and made it delete the data in the US. Meta plans to appeal against the ruling. Its big hope, along with other tech companies, is that a third EU-US data privacy framework set to come into force in the meantime will prove able to withstand legal challenges. Schrems says he may test it.
President Joe Biden signed an executive order last October that bolsters safeguards around US intelligence-gathering and creates a court for citizens to seek redress. Some EU experts are hopeful the new framework will meet the test of being essentially equivalent to EU standards. If not, either deeper reform of US intelligence laws or dilution of the EU’s GDPR would be needed, which seems politically untenable. Tempers already flared when the privacy shield was struck down in 2020, with a disgruntled US accusing the EU of hypocrisy given how some member states’ security agencies conduct themselves.
Companies would otherwise be forced to store all EU personal data on EU servers, which they say could complicate or block all manner of activities from cross-border social networks to sharing clinical trial data. The EU rightly prides itself on world-leading standards on data privacy — a legitimate and growing consumer concern — while the US says it is protecting security activities from which allies also benefit. But the two sides need to find a way to ensure necessary personal data flows can continue legally. A digital decoupling between the west and China may already be unavoidable, but it would be regrettable indeed to see a fracturing of the internet between the world’s top democracies.