Meta fined for data breaches: Is it just a symbolic gesture or real change?

Fredric Wallsten

CEO, Safespring

The GDPR and the Cybersecurity Act are just two of a series of regulatory measures shaping the EU’s Digital Decade Strategy, aiming to create a free, safe, inclusive, and sustainable single market with people at its center 2. These are ambitious goals 3 that will require major changes in skills and workforce supply, and by steering toward the strategic objectives through regulations and legal requirements.

In recent days, the Irish data protection authority has fined Facebook for transferring European citizens’ personal data to U.S. servers in breach of European law. Like all other American companies, Facebook is primarily subject to U.S. law and can therefore sometimes be compelled to hand over data to U.S. authorities in ways that conflict with European law and European citizens’ rights. The fine underscores how data protection authorities are taking both their supervisory responsibilities and their cooperation increasingly seriously.

Reactions and pressure

Questions remain. The Irish Data Protection Commission has not exactly been enthusiastic about fining American companies, since Ireland has gained both tax revenues and jobs by attracting the European headquarters of especially U.S. IT firms. But pressure from other EU member states’ data protection authorities has proved effective. The size of the fine is smaller than Facebook feared at its budget review with shareholders a month ago. And many rounds of appeals in national and European courts may be expected before Meta actually has to pay up. 4 The specialist press is hardly enthusiastic about any immediate strengthening of data protection for individuals, nor is the Swedish press. 5 Yet despite all objections, it is a principled decision—and it should have come sooner.

The importance of European law and sovereignty

In the market segments where we typically operate—research-support services and government systems—it is even more important that local legislation applies than it is for social media like Facebook. Swedish citizens’ relationships with Swedish educational institutions and authorities should be governed by Swedish law, and a citizen should be able to expect that their democratic participation also influences the governance of the conditions for these relationships. When personal data are transferred to other countries, such as the United States, it is not clear that this still applies. When personal data are transferred to the U.S., it is U.S. lawmakers’ will that becomes decisive in determining the balance of power.

Even when a sitting U.S. president issues regulations—so-called executive orders—these are temporary and weak guarantees that make Swedish citizens’ relationships with Swedish authorities dependent on the latest election result in the United States. And not only because of external factors, such as the current geopolitical situation, but also due to internal circumstances, such as who may participate in interactions with social services, schools, healthcare, and market oversight.

Facebook can and will delay certain clean-up measures in its own data centers if a new data transfer decision is adopted by the European Commission this October. But it is unclear whether the Court of Justice of the EU will uphold a new data transfer decision if the sovereignty of European legislation is not respected. The Court of Justice of the EU must follow European law in all its rulings, and European law does not permit European citizens’ ability to exercise their rights to depend on who wins U.S. presidential elections.

Sources and links

1. EUobserver: Meta’s €1.2bn fine — a GDPR win, inconsequential for user privacy?
2. European Commission: Europe’s Digital Decade: digital targets for 2030
3. European Commission: The future and Europe’s digital compass towards 2030
4. Politico: Record Meta fine masks Europe’s privacy struggle
5. Dagens Industri: Meta receives record EU fine for user data breach