Meta's Landmark €1.2bn Fine
But Also — Germany's in recession; ChatGPT doesn't like the AI Act
Hi! This is Tuesday, 30 May 2023, and here’s the EU news you need this week. Feel free to share this newsletter with friends and colleagues, and follow us on Twitter and Linkedin.
The Briefing
On 22 May, the Irish Data Protection Commission (DPC) issued a landmark decision against Meta Ireland (formerly Facebook). Meta now holds the record for the largest fine for non-compliance with the General Data Protection Regulation — 1.2 billion euros — and dethrones Amazon, which until then held the palm with the fine of 746 million euros imposed in 2021 in Luxembourg by the National Commission for Data Protection. Meta has announced that it will appeal the decision.
THE DECISION • The decisions contains the following elements:
A €1.2 billion fine.
The order for Meta to suspend transfers of European users' data to the United States within five months of notification of the decision.
The order for Meta to delete or repatriate within the EU by November the personal data of European Facebook users stored in the United States since 2020, in the absence of a new adequacy decision between the EU and the United States.
LEX • Meta is sanctioned for an infringement of Article 46(1) of the GDPR, which relates to transfers of personal data to third countries, i.e. outside the EU. The DPC began its investigation in August 2020, shortly after a ruling by the Court of Justice of the EU (CJEU) caused havoc in the transatlantic world of personal data transfers. To understand what this is all about, we must dive into what the GDPR says and in the saga started by the Austrian activist Max Schrems.
BACKGROUND • The GDPR makes the transfer of personal data to third countries conditional on the existence of an adequacy decision, the purpose of which is to recognise that the personal data are subject to equivalent protection in the third country concerned.
In a series of legal attacks, Austrian activist Max Schrems and the NGO he founded, None of Your Business (NOYB), successively brought down two such adequacy decision: the Safe Harbour in 2015 (Schrems I ruling) and Privacy Shield in 2020 (Schrems II ruling) before the CJEU, that had both been negotiated at the highest level between the US and the EU.
Max Schrems has twice successfully demonstrated that the protection of Europeans' personal data is not guaranteed in the United States, because of the possibility for the American authorities to collect the data hosted in the United States of European citizens, as the Snowden affair had spectacularly demonstrated.
In the absence of an adequacy decision, data transfers are governed by "standard contractual clauses", i.e. model contracts for the transfer of personal data. After the invalidation of the Privacy Shield by the CJEU in 2020, the European Commission adopted new standard contractual clauses in 2021, on which Meta relied to operate data transfers between the EU and the United States.
However, these contractual clauses must have "appropriate safeguards", says Article 46(1) of the GDPR. The DPC considers that the standard contractual clauses as well as the additional measures taken by Meta to comply with the GDPR were not sufficient to guarantee respect for the right to privacy for European users of Meta, whose data is transferred and processed in the United States. With this decision, the EU once again distances itself from the United States regarding the processing of personal data.
EUROPEAN DISAGREEMENTS • As Meta noted in a press release, "the DPC initially acknowledged that Meta had continued its data transfers between the EU and the US in good faith and that a fine would be unnecessary and disproportionate. However, the EDPS ignored this finding and also chose to ignore the clear progress made by policymakers to address this underlying problem."
The DPC — which is the lead authority for Meta as it has its European headquarters in Ireland — was not in favour of a fine or an obligation for Meta to repatriate European users' data to Europe. The Irish regulator is often suspected of aligning with big tech companies, because of the sector's significant weight for the Irish economy and also potentially because of staffing issues.
However, the lead authority is not the sole decision-maker, especially in cases of conflict. Indeed, the GDPR gives the European regulator — the European Data Protection Board (EDPB) — the power to make a binding decision in case of disagreement. On 13 April, the EDPB ruled in the direction for which several national authorities were arguing, which resulted in the record fine and the obligation for Meta to repatriate the data of European users to Europe.
MORE • After the thunderbolt of the Schrems II ruling in 2020, the US and EU are still negotiating a new equivalence decision — the draft was published in December 2022 — that would bring some legal order and certainty to transatlantic transfers of personal data.
Negotiators on both sides hope to reach a new equivalence decision before November 2023. If such a decision is adopted, Meta will no longer need to repatriate the data of its European users to Europe. However, the new equivalence decision may again be referred to the European courts. Max Schrems and None of Your Business (NOYB) will certainly be there, to try to make the saga a trilogy.
Inter Alia
GERMANY • Germany — the eurozone’ s growth engine — is in a technical recession. German GDP contracted by 0.3% year-on-year in the first quarter of 2023, following a contraction of 0.5% in the last quarter of 2022. For Germany, this technical recession is the first since the Covid-19 pandemic, and has taken many forecasters by surprise who expected sluggish rather than negative growth.
Significant divisions in the ruling coalition only add to concerns about Germany's ability to overcome an energy crisis that is severely crippling its industrial sector. Against the backdrop is the risk that a recession in Germany will contaminate its neighbors and main trading partners, and pull the entire euro zone down.
ChatGPT • The AI Act, which is at this stage only a proposal, is not to the liking of OpenAI CEO Sam Altman. The company that offers ChatGPT could even stop offering its services within the EU if the regulation — the first comprehensive piece of legislation to regulate the risks posed by artificial intelligence — were to see the light of day in its latest version. The AI Act would make companies like OpenAI partially responsible for how their models are used, even though they do not control how their technology is used.
What we’ve been reading this week
The EU needs a radical reform of its markets to create a true capital union, writes Karel Lannoo of CEPS in the FT.
The EUISS, the EU's internal think tank on foreign policy issues, has published a note by Stanislav Secrieru on the impact of the war in Ukraine on Moldova and the future of its relationship with the EU.
This edition was prepared by Maxence de La Rochère and Augustin Bourleaud. See you next Monday!