The €1.2 billion fine that the Irish Data Protection Commission (DPC) against Meta marks a new record for violation of the EU’s General Data Protection Regulation (GDPR), but it is the DPC’s order that the company to shut off its transatlantic flow of user data that will have the most far-reaching consequences for international trade, privacy policy, and the rule of law.
The DPC's actions come as the EU and United States had been seeking to finalize a new data-transfer mechanism. This punitive action sets a dangerous precedent for future U.S.-EU cooperation.
According to the DPC decision, Meta broke EU law in relying on standardized and pre-approved model data-protection clauses—known as standard contractual clauses (SCCs)—to transfer personal data about EU citizens to the United States. While the decision applies specifically to Meta, it would in principle apply to any firm doing business in the EU that relied on SCCs to transfer personal data. Indeed, Irish Data Protection Commissioner Helen Dixon has stated that she is either already investigating or interested in investigating more firms that relied on SCCs.
In the 2020 Schrems II case, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, the legal mechanism that previously ensured that businesses were properly transferring EU data to the United States. While the CJEU upheld the use of SCCs as a valid data-transfer method, the court cast doubt on the viability of this mechanism going forward.
Many U.S. firms—including Meta—continued to rely on SCCs following the decision. Shortly thereafter, the DPC issued a preliminary decision that Meta was not entitled to rely on SCCs to transfer data. The DPC’s final decision reaffirms that decision and further asserts that, since Meta was not entitled to transfer data under SCCs, it is liable for all data transfers it believed it was legally conducting.
It remains a complex legal matter, ultimately to be determined by the EU courts, whether and under what precise circumstances it was legal for businesses to rely on SCCs. The Irish DPC acknowledged this complexity and had earlier offered it as a reason not to impose a monetary fine on Meta, but was overruled on this point by the European Data Protection Board.
But now that the final decision has been handed down, the logic of the Meta case could be applied to any U.S. firm that has relied on SCCs to transfer data from the EU in the past three years, thereby punishing firms that believed they were complying with EU law.
The protectionist nature of the decision is apparent when one considers that the €1.2 billion fine imposed on Meta significantly exceeds any previous fine issued by a data-protection authority. EU data-protection authorities have previously asked EU providers to suspend transfers without assessing fines of this magnitude. It is concerning that U.S. companies are being disproportionately targeted for these punitive actions. The precedent would allow EU data-protection authorities to issue similarly massive fines against any foreign firm they wish to target.
Moreover, it effectively undermines sound privacy policy. In many cases, it harms consumer privacy to fragment data across multiple data centers. It can also hamstring the algorithms used to guarantee cyber security. The changes imposed by the DPC could exacerbate the problem of finding and stopping hackers.
The decision also poses a serious risk to transatlantic trade, as it makes data transfers between the EU and the United States essentially illegal. More generally, it threatens to undermine faith in EU legal institutions. When the EU issues an adequacy decision, or where there are legal channels like SCCs available, it should be presumed that firms are acting lawfully when they comply with those legal instruments.
This decision only highlights the urgency with which the United States must act. U.S. officials have been taking steps to comply with the terms of the new EU-US data-transfer agreement. They need to finish that process so that the EU can finish its own internal processes and issue a new adequacy decision.
But even if a new adequacy decision is issued, the DPC’s retroactive fine will remain a dangerous precedent. U.S. and EU policymakers need to work together to curb such excesses and restore trust in the EU’s rule of law.
