On Monday, a decade-long legal case, spanning from 2013 to 2023, regarding Meta’s role in mass surveillance in the United States reached a significant milestone. The outcome of this case obliges Meta to cease any additional transfer of personal data from Europe to the United States due to its obligation to comply with US surveillance legislation, such as FISA 702. The European Data Protection Board (EDPB) had largely overturned the decision made by the Irish Data Protection Commission (DPC), advocating for a substantial monetary penalty and insisting on a record fine and for previously transferred data to be returned to the EU.

Following the disclosure of Edward Snowden regarding the involvement of major US tech companies in assisting the NSA’s widespread surveillance program, Facebook, now known as Meta, became subject to legal proceedings in Ireland. Over the course of a decade, Meta failed to implement any significant measures and instead disregarded directives from the Court of Justice of the European Union (CJEU) and the European Data Protection Board (EDPB). As a consequence, Meta is now obligated to not only pay a historic fine amounting to €1.2 billion but also return all personal data to its data centers located within the EU.

The reauthorization of FISA 702 is currently being discussed. The ongoing conflict between EU privacy regulations and US surveillance laws also poses challenges for other prominent US cloud service providers like Microsoft, Google, and Amazon. The underlying US surveillance legislation, FISA 702, needs to undergo reauthorization before December 2023. Considering the recent substantial fine imposed by EU data protection authorities, there is a growing demand for significant changes among US tech giants. Several rulings from France, Italy, and Austria have declared the utilization of US services as unlawful, although they did not entail significant fines similar to the recent case.

Although Meta is likely to submit an appeal to both the Irish and potentially the European Courts, the likelihood of the decision being significantly overturned is low. This is due to the fact that the CJEU has previously ruled in two cases spanning from 2007 to 2023 that there was no legitimate legal framework for transferring data between the EU and the US. Additionally, there is no possibility of a new agreement being established to retroactively legalize prior breaches of the law.

According to a recent ruling by the CJEU, individuals may now have the ability to seek emotional damages for minor infringements of their data protection rights, including instances where their data is subject to US mass surveillance. This could result in claims that surpass the current penalties imposed. For instance, the Dutch consumer rights organization Consumentenbond is currently enlisting Dutch Facebook users to assert their claims regarding EU-US data transfers. Without users demanding fair compensation, substantial change is unlikely. As regulatory authorities are currently not very proactive in enforcing the GDPR, it falls upon consumer rights organizations and users to take action. Therefore, Noyb encourages every Facebook user in the Netherlands to register their claims for potential damages. Additionally, the implementation of the EU’s Collective Redress Directive this summer will allow European users to initiate collective actions for GDPR violations for the first time.

What does this mean for other companies? This is the first fine issued for unlawful transfers, setting a high standard for compliance. Controllers need to ensure that in case of international transfers, in the absence of an Adequacy Decision, there are appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include SCCs and TIAs.

Does your organization have any questions about transferring personal data internationally to the US? Contact us, the Experts in Data Privacy at info@dpoconsultancy.nl for assistance.