On May 20, 2023, the European Data Protection Board (EDPB) fined Meta (formerly Facebook) €1.2 billion for violating the General Data Protection Regulation (GDPR) by continuing to transfer European user data to the United States without adequate safeguards in place.
For more background on this case, read our articles; META behavioural advertising – Why it should matter to you and Privacy Shield inadequate (Shrems Deux)
The EDPB found that Meta had not complied with the Schrems II decision, invalidating the EU-US Privacy Shield. This framework allowed for transferring personal data between the EU and the US. The EDPB found that Meta had not taken sufficient measures to protect the privacy of European users whose data was transferred to the US, where US intelligence agencies could access it.
As a result of the fine, Meta must stop transferring European user data to the US unless it can put in place adequate safeguards to protect the privacy of that data. Meta has said that it will appeal the fine.
The EDPB’s decision is a significant victory for privacy advocates, who have long argued that the US government’s surveillance programs pose a serious threat to the privacy of European citizens. The decision is also a setback for Meta, which relies on transferring European user data to the US to power its advertising business.
How Meta will comply with the EDPB’s decision remains to be seen. The company could try to negotiate a new data transfer agreement with the US government, or it could try to repatriate European user data to the EU. Whatever approach Meta takes, it is clear that the company will face significant challenges in complying with the EDPB’s decision.
Here are some additional details about the case:
- The case was brought by noyb, a European privacy advocacy group founded by Max Schrems.
- The EDPB’s decision is the first time a company has been fined for violating the GDPR in connection with data transfers to the US.
- The fine is the largest ever imposed by the EDPB.
- Meta has said that it will appeal the fine.
The EDPB’s decision is a significant development in the ongoing debate over the transfer of personal data between the EU and the US. The decision will likely impact how companies collect and use personal data substantially, and it could lead to further legal challenges.