Facebook Ordered to Suspend Data Transfers to US From Europe
General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance
European Data Authorities Fine Social Media Giant 1.2 Billion Euros Akshaya Asokan (asokan_akshaya) • May 22, 2023 Facebook’s European headquarters building in Dublin’s Grand Canal Dock in a photo taken in April 2018 (Image: Shutterstock)
European privacy regulators gave Facebook five months to stop transferring data into the United States and assessed the social media giant a record 1.2-billion-euro fine in a decision that puts pressure on the European Commission to finalize a legal agreement enabling trans-Atlantic data flows.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Data Protection Commission on Monday announced the fine against Facebook’s Dublin-based international operation, writing that Facebook cannot protect Europeans against surveillance by U.S. intelligence agencies. The decision to fine Facebook came from the European Data Protection Board after other national data protection agencies objected to Ireland’s intention to resolve its investigation without one.
Monday’s fine is the largest fine yet meted out by a European data protection agency against a tech giant for privacy violation. The Luxembourg regulator imposed a 746-million-euro fine on Amazon in 2021 for mishandling personal data.
Facebook said it will appeal the decision and that it will not cause immediate disruptions to European operations. Facebook global affairs head Nick Clegg and Jennifer Newstead, chief legal officer, accused European authorities of having “singled out” the company. The decision is “unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” they said.
A company official told investors in April that European countries make up roughly 10% of its ad revenue.
European privacy activists successfully and repeatedly challenged the legal basis allowing American tech companies to process the data of European customers in the United States following 2013 disclosures by former intelligence contractor Edward Snowden that the National Security Agency intercepts internet traffic as it transits the U.S.
“Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” said Max Schrems, the Austrian privacy activist who in 2013 filed the complaint leading to Monday’s decision.
The European Commission and the U.S. signed a preliminary agreement establishing a new legal framework that imposes restrains on intelligence agencies. The European Parliament in a nonbinding vote earlier this month urged the commission to reject the pact, saying it should be strengthened (see: European Parliament Rejects EU-US Data Framework).
Should the commission decide to finalize its acceptance of the new framework within the next five months, the order requiring Facebook to cease transferring data would no longer apply, a European data protection official who requested anonymity told Information Security Media Group.
Facebook has relied since 2010 on an alternate mechanism to frameworks for trans-Atlantic data flows known as “standard contractual clause.” On Monday, Irish Data Protection Commissioner Helen Dixon wrote that SCC doesn’t stop Facebook from complying with U.S. law, including directives from the NSA.
Whether or not the NSA still conducts bulk surveillance is irrelevant, Dixon said, given that the Court of Justice of the European Union ruled in 2020 that the law authorizing NSA internet intelligence gathering “cannot ensure a level of protection essentially equivalent” to Europeans’ rights.
The decision leaves the door open for additional challenges against other American tech companies. Although it only affects Facebook, the analysis behind the decision “exposes a situation whereby any internet platform” subject to U.S. law could be challenged in the same way, Dixon wrote.
None of Your Business, the organization privacy activist Schrems founded in 2017, said Monday that the ultimate solution may lie in “some form of ‘federated social network’ where most personal data would stay in the EU, while only ‘necessary’ transfers would continue – for example when a European sends a direct message to a US friend.”
With reporting by ISMG’s David Perera in Washington, D.C.