Meta, the owner company of Facebook, Instagram, WhatsApp and more has just been fined EUR 1.2 billion for not complying with GDPR Chapter V, specifically for having transferred personal data of European Facebook users to the United States without sufficiently protecting them from US government and agencies surveillance programs. This constitutes the largest fine ever issued under GDPR.

Andrea Jelinek, EDPB (European Data Protection Board) Chair, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”

In addition to the fine, Facebook is ordered to stop any further transfers of European personal data to the US within five months, and to return all personal data to its EU data centers within six months.

The plaintiffs in this case are the Irish Data Protection Commissioner and Max Schrems, the founder of NOYB (None Of Your Business) European Center for Digital Rights non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus.

The core issue is that data belonging to Europeans may be subject or US surveillance, authorized by the US Congress in the Foreign Intelligence Surveillance Act (FISA). This Act will end in December 2023 if it is not reauthorized, or reformed, by the Congress. EPIC (Electronic Privacy Information Center), a US-based non-profit organization specializing in privacy and civil liberties issues, campaigns for a total reform of FISA to limit the powers of surveillance authorities that compromise privacy and civil liberties.

At the same time, Meta has the reform of the Transatlantic Data Privacy Framework in sight. Previous set of rules known as the EU–US Data Privacy Shield, enforced from July 2016 had been invalidated in July 2020 by the Court of Justice of the European Union (CJEU), already in a case started by Max Schrems, as the Court considered that the Privacy Shield "failed to ensure the protections mandated by the GDPR as it did not provide adequate safeguards to prevent EU data from being provided to US law enforcement or government agencies."

A new agreement, the "EU-US Data Privacy Framework" has been under negotiation for years between the US Government and the European Commission. Already, President Joe Biden signed an executive order to implement the new agreement in October 2022 and the European Commission launched the process in December 2022 to adopt an adequacy decision for the EU-US Data Privacy Framework. However, there is no certainty if and when the new framework will be enforced. The EDPB published a statement welcoming "substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects." But at the same time, they expressed concerns about the level of data protection provided to European citizens. On May 11, 2023, the European Parliament adopted a resolution on the adequacy of the protection afforded by the new Framework, a necessary step to allow the European Commission to continue negotiations with its US counterparts. However, the European Parliament is concerned that the Framework could be invalidated by the Court of Justice of the European Union (CJEU) and points out that the proposed agreement fails to provide sufficient safeguards in the case of bulk data collection.

One has to remember that the EU is among the most essential markets for Facebook and, more generally, for Meta. As the company will not pull out of Europe, it will have to comply with the new rules when they are set, or to keep on suffering from repetitive penalties.