Brussels The EU record fine against the Facebook group Meta is causing unrest in the German economy. The decision is “a wake-up call for German companies too,” says Rebekka Weiß, head of trust and security at the digital association Bitkom. “They should quickly check whether their data protection measures are sufficient.”
The Irish data protection authority IPC ruled on Monday that the social network Facebook had not adequately protected the personal information of EU citizens from access by American secret services. Therefore, the meta group should now pay a fine of 1.2 billion euros. The company plans to appeal.
The decision is explosive because it sets a precedent. “Any company that sends data to the US is in the same position as Meta,” says Michael Kamps of the Berlin law firm CMS.
Meta protected itself with the prescribed standard contractual clauses and even set up additional technical processes. However, the privacy advocates called for stronger encryption of user data.
The core problem is that US laws allow intelligence services to conduct extensive surveillance of users without cause – while the European General Data Protection Regulation (GDPR) prohibits precisely this. No company can solve this fundamental conflict, says Kamps. Meta was only targeted by data protection officers because of its prominence.
Kamps expects that the German data protection authorities will also be motivated by the decision to take stronger action against companies themselves. The number of fines in Germany is increasing, he says.
The data protection officers can impose a fine of up to four percent of global sales if companies carelessly store data in countries where the level of data protection does not correspond to that in Europe. The fine against Meta is equivalent to a good one percent of global sales by 2022.
Is data sharing with the US now banned?
Every company that stores personal data must protect it from unauthorized access. When data is stored outside of the EU, things can get complicated. The EU recognizes the data protection of some states as equivalent. This includes Great Britain.
In other countries, the companies themselves have to ensure that data protection is guaranteed – also in the USA. They can do this, for example, by using special encryption methods.
These procedures are agreed in a contract with the data service provider. So-called standard contractual clauses provided by the EU Commission can be used. On this basis, data exchange with the USA is still possible for the time being.
What can companies do to avoid a fine?
“Companies shouldn’t take this lightly,” says data protection expert Weiss. “You have to check what protection is needed for each individual data transfer.”
Specialist lawyers are therefore needed to check whether all the provisions of the GDPR are being complied with. “Anyone who has regulated their data protection unsystematically should change that now,” says Weiß.
>> Read here: Consumer advocates warn of EU levy for Netflix, Youtube and Co.
In individual cases it may even be necessary to restructure supply chains if they are too closely linked to data exchange with other countries. According to a Bitkom survey, more than half of the companies have already stopped plans for innovations because they felt compelled to do so by data protection.
When is there legal certainty?
The EU is currently working on simplifying data exchange with the USA. To do this, the USA must give guarantees that the data of Europeans will be particularly protected. Then the EU can recognize data protection there as equivalent, which eliminates legal uncertainties.
The meta group is now to pay a fine of 1.2 billion euros.
(Photo: AP)
The USA and the EU have already agreed in principle on a new data protection agreement, but this still has to be legally implemented on both sides.
According to Kamps, even if the agreement comes into force soon, it still does not offer legal certainty for companies.
The European Court of Justice (ECJ) has twice declared a transatlantic data agreement invalid (first Safe Harbor, then Privacy Shield).
Data protection activist Max Schrems, who brought both lawsuits, also wants to challenge the new agreement.
>> Read here: Tighter borders for US intelligence agencies: Biden paves the way for a new transatlantic data agreement
Lawyer Kamps considers it quite possible that the ECJ will overturn an agreement for the third time. Because even this would not solve the basic problem: that EU citizens who want to sue the surveillance in the USA would only get insufficient legal protection against the US government.
Isn’t there another way to solve the problem?
Theoretically, there are three ways in which the contradiction between US law and EU law could be resolved:
- European companies no longer send data to the USA and vice versa. Meta has already threatened to stop offering its services in the EU if the legal situation is not clarified. The result would be national or regional data silos – and with it the “death of the internet”. Neither the USA nor the EU want such a decoupling of their data rooms.
- Companies need to encrypt their data more. This presupposes that there are always new standards that the American security agency NSA cannot crack. The crucial question is how expensive such a technical upgrade would be – and whether it might render transatlantic data exchange impractical.
- The EU could revise its General Data Protection Regulation and make it more realistic. However, the political will to do so is lacking. A reform would also only be possible to a limited extent, since the right to data protection is included in the European Charter of Fundamental Rights. Alternatively, the US government could rein in its intelligence services – that too is rather unlikely.
More: Meta has to pay 1.2 billion euros for data protection violations