The Irish data protection regulator has fined Meta, the parent company of Facebook, a record-breaking 1.2 billion euros. As part of the decision, Meta is required to keep all personal data in data centers in the European Union once again. This announcement was made on Monday by the Irish data protection supervisory authority DPC, which is in charge of Meta in the EU. The company has been given five months to stop data transfer and six months to retrieve it.
Meta has stated that it intends to take legal action against the decision. This is the latest development in a long-standing dispute over data protection, which began ten years ago with the revelations of NSA whistleblower Edward Snowden. This decision currently applies only to Facebook, and not to other Meta services such as Instagram or WhatsApp.
Ten years ago, Snowden brought to light the extensive mass surveillance programs in the USA. This drew attention to the US surveillance law, FISA, which allows US intelligence agencies to request emails and other communications from US companies’ customers without judicial approval. EU data protection laws contradict this, and the protection of non-US citizens’ data from this kind of access has long been a point of contention.
Max Schrems, an Austrian data protection activist, lodged a complaint against Facebook to the Irish data protection supervisory authority in 2013. He accused the company of not protecting personal data from state surveillance in the USA. As a result, he achieved a number of important decisions against the legal basis for data transfer before the European Court of Justice. These included declaring the Safe Harbor Agreement invalid.
The DPC had repeatedly refused to take stricter measures against Facebook, which led to resentment across Europe. The record fine has now been overruled by the European Data Protection Board. Schrem’s data protection association Noyb is “happy about this decision after ten years of legal disputes.”
Meta has stated that the penalty is based on a legal conflict between US government rules and European data protection laws. Section 702 of the FISA is due to be renewed in the US Parliament, and the debates have not so far addressed the data protection rights of non-US citizens. If the US surveillance laws are not altered, Meta “would now have to fundamentally restructure its systems.”