The €1.2bn fine on Meta this week is the biggest ever imposed under EU data protection rules. The Facebook owner hardly has a blameless record, and has been fined before over lax privacy protections, including $5bn by US regulators in 2019 over the Cambridge Analytica scandal. Yet in this case Meta — like scores of other companies — is caught in a mismatch between EU and US law. The decision against it signals in effect that there is no functioning legal basis for Meta to do what it has been doing: transferring EU user data to the US. Unless a new attempt to create a framework to bridge the legal gap succeeds, the implications for tech firms, consumers and the internet are far-reaching.
The crux is that EU law since 1995 has prohibited transfers of personal data to third countries unless they offer “adequate” levels of data protection. But the EU imposes much higher protections than the US, reinforced by its 2018 General Data Protection Regulation and a charter of fundamental rights. As the Snowden leaks of US intelligence a decade ago exposed, it is easier under US legislation for law enforcement agencies to access users’ data — and more difficult for consumers to seek redress.
The European Court of Justice has struck down two successive EU-US frameworks designed to facilitate legal personal data transfer — Safe Harbor, and Privacy Shield — after challenges to Facebook’s practices by an Austrian privacy activist, Max Schrems.