The decision hinges on Facebook’s inability to protect EU citizens’ data from National Security Agency surveillance, but other large social networks seem open to the same legal risk.
Meta has six months to get the data of European Facebook users off its US servers and owes the European Union €1.2 billion ($1.3 billion) under a decision announced Monday by the European Data Protection Board (EDPB).
The board’s 222-page decision (PDF) focuses less on what Meta’s Irish subsidiary, which runs its European operations, has done with the information of EU Facebook users and more on what it can’t do to safeguard that data from the curiosity of the National Security Agency.
The EDPB held that the latter shortfall violates a core principle of the General Data Protection Regulation, the vast set of privacy rules that went into effect five years ago. Firms doing business in the EU cannot transfer people’s data out of it without securing “appropriate safeguards” that include “enforceable data subject rights and effective legal remedies.”
As Irish data protection commissioner Helen Dixon summarized in the EDPB ruling, Facebook “does not have in place supplemental measures which compensate for the inadequate protection provided by US law.”
That’s been an existential issue for US tech firms with transatlantic operations ever since Edward Snowden’s 2013 revelations of bulk surveillance by the NSA. It led to a complaint filed with the EU by Austrian privacy activist Maximillian Schrems that Facebook had left his information exposed to US surveillance agencies.
