The ball is now in the court of transatlantic legislators to respond to the vivid enforcement of EU law taking place on the ground.
By Professor Elaine Fahey, Professor of Law and Jean Monnet Professor of Law & Transatlantic Relations at The City Law School
Meta’s €1.2bn fine by the Irish data protection Commissioner (DPC) and the order to halt data transfers from the EU to the US, is yet another instalment in the evolution of the global reach of EU law.
The Irish authority has de facto and de jure jurisdiction globally for the EU as the lead regulator in the EU on account of Meta’s being headquartered in Ireland and the Meta decision of May 2023 shows the DPC being outnumbered and outmanoeuvred (in theory at least) by their counterparts.
Previously, Meta threatened to leave Europe if this decision came to pass. In 2022, Meta collected 10% of its total global revenue of $117bn from the EU. Notably, Meta moved many UK users to US law from EU law after Brexit, along with other social media companies, showing the force of its rules - despite being a self-professed Europeanist, in favour of EU law’s General Data Protection Regulation (GDPR).
The DPC in Ireland has come under significant criticism and scrutiny nationally and internationally for her largely light-touch approach to regulation. Other data protection authorities in the EU have sought to invoke EU procedures to ratchet up fines. The European Data Protection Board (EDPB) overruled the DPC decision previous to this and compelled her to issue the fine of €1.2bn and to address past data collection about users, possibly including deletion.
The decision seeks to strictly implement a CJEU decision in Schrems II from 2020, brought by Austrian law student and privacy activist Max Schrems, resulting in the CJEU striking down the EU-US Privacy Shield on account of undue surveillance of EU citizens possible under US law in particular.
On the one hand, Meta argued in response to the DPC decision that it was ‘flawed, unjustified and sets a dangerous precedent’. On the other, it also pointed to an important international agreement under development between the EU and US. It is an agreement designed to address more completely the Schrems CJEU decision and to evolve the Privacy Shield, itself hastily agreed.
One notable feature of the case is that Meta is heavily relying upon a newly agreed EU-US Data Privacy Framework Agreement of March 2022 in its public defence to the outcome. The Agreement - now in force - includes an array of commitments against surveillance and actions, including a new EU-US Data Privacy Court. It is a key step towards an ‘adequacy’ decision with the US, entailing that US might be considered to afford equivalent protection to EU data privacy law- and enable easier data transfers.
The European Parliament met with the Department of Justice, the White House and many other key actors in Washington DC in May 2023 as a way to make adjustments to the Privacy Agreement, befitting of all concerns.
As of May 2023, the European Parliament remains very dissatisfied with the Framework as a way forward- it argued that EU-US Data Privacy Framework fails to create essential equivalence in the level of protection with EU law and called on the Commission not to adopt the adequacy finding until all the recommendations of the EP and European Data Protection Board had been followed.
It is thus of much significance that new transatlantic agreements and actors; e.g. a Court can come into play at this point and constructively engage with the issue of how Big Tech and EU law can converge. Meanwhile, the ball is in the Court of transatlantic legislators to respond to the vivid enforcement of EU law taking place on the ground.