contact@andrasurariu.ro
(+40) 742-205-666
ConsultanțăOnline
Menu
Close
andrasurariu.ro © 2025. All rights reserved.

€1.2 BILLION FINE BRINGS FACEBOOK’S “METAVERSE” BACK TO EU LEGAL REALITY

Posted on May 25, 2023

Meta was recently issued a 1.2 billion euro fine for a violation of the General Data Protection Regulation (GDPR), after an inquiry into its’ Facebook service. The fine was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses since 16 July 2020. The order was issued by the Irish Data Protection Authority, following a binding decision of the European Data Protection Board (EDPB). Meta was also ordered to cease the processing of personal data of European users in the United States within six months.

News travelled fast around the globe, not only because it typically does when it involves a tech giant, but also because it is a record-breaking fine since the adoption of GDPR in Europe. The previous record of €746 million was levied against Amazon back in 2021.

Since Dublin is home to the European headquarters of Apple, Meta, Twitter and Google, which generated thousands of jobs in the country and boosted its economic growth, the question everybody is asking is whether the EDPB decision is lawful. Meta argues that it shall appeal the ruling, playing the role of a victim of the tensions between the US and EU on issues of data privacy. In fact, one the pleas Meta argued before EDPB is that “the imposition of an administrative fine in the present case would be discriminatory” and “would violate the ‘general principle of self-binding effect of the general practice followed by the supervisory authorities to date”.

Meta’s defence brings up another rotten tomato, namely the fact that this fine is directly linked to a previous decision of the European Union Court of Justice back in 2020. This decision struck down a complex transatlantic framework to legally move EU user data to US servers in the ordinary course of running their businesses. That framework, known as Privacy Shield, raised serious intelligence concerns for European citizens data shipped to the US. This comes at hand for Meta to claim that it’s case stems from a “conflict of law” between US rules on access to data and the privacy rights of Europeans.

However, Meta’s GDPR violation does not arise from a conflict of law between the US and EU. Moreover, Meta is far from being a victim in this case: the root of the issue is profitability. Meta willingly chose to violate GDPR by transferring data in the US even after the 2020 European Court decision, because the alternative meant higher costs for Meta and, consequently, loss of profit. My opinion is supported by the fact that Meta has not made any effort to withdraw the data from the US or to build up data centers in the EU following the European Court 2020 decision. This behaviour allowed Meta to directly benefit from its own non-compliance and non-action to establish compliance.

Meta itself explains that it would not be able to offer its services in the EU without performing the transfers, which would clearly have a devastating impact on business, revenue and employees. This does not make Meta a victim or a casualty of different law conflicts; it rather underlines that transferring the data to the US in a way that infringes the GDPR is directly linked to the provision of the service to EU individuals. It also proves that a considerable part of its profits arises from the breach of the GDPR.

The EDPB decision follows a previous one for the same violation, which did not impose a fine for Meta. This certainly weighs a lot against Meta’s “victim defence” which received significant support by the public opinion. I am all for profitability, but this can never be a good reason to bend the law.

If we take a closer look at EDPB decision, we may see that issuing a significant fine is justified by the following legal reasons:

  • the gravity of the infringement at stake carried out by Meta, highlighted by the large scope of the processing, the high number of data subjects affected and the long duration of the infringement;
  • the categories of personal data affected by the infringement – photographs, videos or messages, everyday data of social interactions with family, friends, acquaintances as well as personal data covered by Article 9 GDPR. Of significant relevance and directly linked to the 2020 European Court decision is that a map of social contacts may be particularly appealing for foreign law enforcement and intelligence. Moreover, the transferred data allows not only to infer many matters of private and professional lives, but also allows to infer further data, including emotional and mental states and can also be misused for political manipulation;
  • the repetitive character of the infringement – which is still ongoing;
  • the infringement was performed at least with the highest degree of negligence – Meta bears a high degree of responsibility and it could not possibly be unaware of the fact that Facebook International Transfers could be considered in violation of Article 46(1) GDPR. The findings of the CJEU that derogations cannot be relied upon for systematic and massive transfers were clearly acknowledged by Meta. Nevertheless, Meta unilaterally decided, in spite of the European Court decision, that the level of protection required by EU law is provided for by relevant US law and practice.

From this perspective, imposing a significant fine is justified. The European court made it very clear that derogations must be interpreted restrictively so that the exception does not become the rule. A data transfer that occurs regularly within a stable relationship between the data exporter and a certain data importer is systematic and repeated. The positions of the Austrian and French data protection authorities are strikingly interesting and articulated, because they lead to an intentional behaviour from Meta, based on both knowledge and willfulness towards the characteristics of an offence.

The Austrian authority argues that it is not the first case where a violation of the GDPR by Meta was established. The French authority refers to the fact that Facebook social network occupies an “inescapable place in France” and “dominates by far the social media market” and, due to its dominant position, generates important “network effects“. Since Facebook is provided to many users who do not necessarily have legal or technical knowledge, these users rely on the information published by Meta and would reasonably expect that their personal data is protected when it is transferred to the US.

Last but not least, while I find the EDPB decision justified, the record-breaking fine might however be a warning for other companies performing the same infringement, which cannot be deemed lawful. EDPB’s approach is that: “if Meta IE is not fined for the infringement of Article 46(1) GDPR in the present case, other controllers […] would be inclined to follow the same model. The same is valid for the response of the supervisory authorities in case of an infringement”.

While I agree that a fine must be discouraging in terms of committing the same infringement in the future, EDPB’s approach is at least debatable. Infringement is personal and cannot be deemed as a lesson for third parties, precisely because it would be unproportionate and breach the very core of personal liability.

Scroll to top