Meta vs EU: Irish DPC Imposes $1.2 Billion Fine for Breach of GDPR

Previously, Meta had threatened to leave Europe if the decision materialized. Meta receives 10% of its global turnover from the EU, on a turnover of 117 billion dollars in 2022. In particular, the American company moved many British users to American law from European law after Brexit.along with other social media companies, showing the strength of its rules despite claiming to be in favor of EU law’s General Data Protection Regulation (GDPR).

The Irish DPC has come under significant criticism and scrutiny nationally and internationally for its overly lax approach to regulation. Other data protection authorities in the EU have sought to invoke EU procedures to increase fines. The EDPB reversed the DPC’s previous decision and forced it to impose a fine of 1.2 billion euros and to look into the issue of collecting user data in the past, possibly planning their deletion.

The ruling seeks to strictly enforce a CJEU ruling in the 2020 Schrems II case, brought by Max Schrems, an Austrian law student and privacy activist, which resulted in the CJEU striking down the EU-US Privacy Shield due to the undue surveillance of EU citizens possible under US law in particular.

On the one hand, Meta reacted to the DPC’s decision, saying it was “erroneous, unwarranted, and setting a dangerous precedent.” On the other hand, the American company also drew attention to an important international agreement being drawn up between the EU and the United States. It’s an agreement designed to respond more fully to the CJEU’s decision in the Schrems case and to evolve the hastily concluded Privacy Shield.

One of the notable features of this case is that Meta relies heavily on an EU-US Data Protection Framework Agreement, reached in March 2022, in its public defense of the case’s outcome. . The agreement, now in force, includes a series of commitments against surveillance and actions, including a new “EU-US Court” for the protection of personal data. This is a key step towards an ‘adequacy’ decision with the US, meaning the US could be considered to offer protection equivalent to EU protection law privacy and allow for easier data transfers.

The European Parliament met with the Department of Justice, the White House and many other key players in Washington DC in May 2023 to make adjustments to the privacy agreement, taking into account all concerns.

Currently, the European Parliament remains very dissatisfied with the development of the framework – he argued that the EU-US personal data protection framework does not create the essential equivalence of the level of protection with European law and asked the Commission not to adopt the adequacy decision until all recommendations of the European Parliament and the European Data Protection Board have been followed.

It is therefore very important that new transatlantic agreements and actors, for example a Court, can come into play at this stage and engage constructively on the issue of convergence between Big Tech and European law. In the meantime, the ball is in the court of transatlantic legislators who must respond to the lively application of European legislation on the ground.