Meta’s €1.2bn fine — a GDPR win, inconsequential for user privacy?

Furthermore, as with earlier record-setting fines for US massive tech firms below GDPR, Fb nonetheless has quite a few alternatives to enchantment the advantageous, each below Irish legislation and on the European Courtroom of Justice.

Beneath the situations of the advantageous, Meta has till 12 November of this yr to maneuver again or delete consumer knowledge from US servers, however is unlikely to really need to comply. Since March 2022, EU and US officers have agreed on the political phrases of the EU-US Knowledge Privateness Framework (DPF), a data-transfer settlement set as much as harmonise GDPR laws with US knowledge assortment.

Initially slated to be signed in July of this yr, Estelle Massé, campaigner at digital privateness NGO Entry Now, instructed EUobserver that it’s more likely to be postponed to October — nonetheless in time for Fb to not need to delete EU consumer knowledge.

“This [decision] won’t imply a lot for individuals’s rights,” Massé mentioned. “In observe, it will imply that really Fb must do nothing, as a result of they might have a brand new authorized foundation below which the info can transfer to the US and keep there.”

The €1.2bn advantageous is clearly an enormous amount of cash, however Massé expects that Meta’s inventory will not undergo from the setback. “They have been setting apart cash for fairly a while now in preparation for this advantageous,” she mentioned. “Based mostly on what they instructed their buyers only a month in the past, and what they have been anticipating [from this fine], I am anticipating Fb inventory to go up in the present day.”

In April of this yr, Meta issued a warning of their earnings report that as much as 10 % of its international advert income could possibly be in danger from the advantageous issued by the Irish regulators. “Clearly, they at all times put aside cash for this and lots of different fines. I believe they’d put apart €1.6bn, so €1.2bn was a superb reward,” Massé quipped.

And that’s in the event that they need to pay the complete sum in any respect. Of all of the record-setting fines issued by nationwide legislators below GDPR since 2016, nearly all of them are nonetheless winding their approach by appeals. “We handed the €4bn mark of fines issued below GDPR. But when we have been to analysis and examine how a lot of those fines have truly been paid, we have not reached €4bn.”

“It is progress on the advantageous stage,” Massé mentioned. However on the similar time, it won’t do a lot for consumer knowledge safety.

“Concretely, the GDPR is about defending knowledge safety violations for individuals. And what we’re being instructed, as individuals, by this resolution, is that this firm has been transferring your knowledge unlawfully, it’s at the moment holding your knowledge someplace unlawfully, and now we give it six months to repair that resolution by both deleting it or transferring it again to the place it is authorized for the corporate to have it. However the small print is that inside six months’ time, they are going to have the ability to preserve it there. So it implies that we’re accepting that the illegal state of affairs continues for six extra months till it is not illegal for them to try this,” she mentioned.

Not all is misplaced although. Privateness campaigner Max Schrems, who filed a grievance with the Irish knowledge safety regulators a decade in the past and has continued to litigate, mentioned in an announcement that the brand new EU-US DPF is unlikely to carry earlier than the European Courtroom of Justice (CJEU).

Join EUobserver’s day by day e-newsletter

All of the tales we publish, despatched at 7.30 AM.

By signing up, you comply with our Phrases of Use and Privateness Coverage.

“Meta plans to depend on the brand new deal for transfers going ahead, however that is possible not a everlasting repair. In my opinion, the brand new deal has possibly a ten % likelihood of not being killed by the CJEU. Except US surveillance legal guidelines get mounted, Meta will possible need to preserve EU knowledge within the EU,” Schrems mentioned.

He additionally believes that Meta’s threats of withdrawing companies from the EU because of knowledge safety regulation are “laughable”. Europe is the largest marketplace for the social media big outdoors of the US, so withdrawing is an “empty risk”, he mentioned.

GDPR has been in power since 2016, which ought to have given Meta — and different massive tech firms — ample time to have mounted the info switch points. “I am not going to really feel sorry for them not being able to adjust to the legislation that they knew was coming,” Massé mentioned.