Press play to listen to this article
Facebook owner Meta Platforms should be fined for continuing to shuttle Europeans’ personal information to the United States in violation of a landmark EU court ruling, Norway’s data protection authority has told its peer regulators.
“There would be little or no incentive to act in accordance” with EU data transfer laws if regulators don’t impose a fine on the US tech giant, Norway’s authority Datatilsynet said in a partially redacted document obtained by POLITICO under freedom of information laws.
The authority is one of a handful of European regulators responding to the Irish Data Protection Commission’s draft decision from July that orders Meta’s to cease its use of a legal instrument called standard contractual clauses (SCCs) to transfer data across the Atlantic — everything from family pictures to payroll information.
The Irish draft decision implemented a 2020 court ruling in which the European Court of Justice nixed an EU-US data transfer deal called Privacy Shield and tightened requirements to use other data transfer mechanisms like SCCs because they would expose Europeans to intrusive US surveillance.
“Based on the facts of the case, we will not see how [Meta] could have continued its personal data transfers following the Schrems II judgment had it acted in accordance with the GDPR,” the Norwegian objection reads.
It said it thought Meta’s violation of EU data transfer rules is “particularly serious.”
The Norwegian document suggests that the regulator wants to go further than the Irish Data Protection Commission, which in July decided to block Meta’s EU-US data transfers but made no mention of a fine for the violations.
“While orders, limitations and bans generally seek to ensure that future data processing of personal data takes place in line with the GDPR, sanctions such as administrative fines are directed towards violations in the past and carry a punitive element,” it reads.
A spokesperson for the Irish authorities said the case is ongoing and that it would be “inappropriate” to comment.
Meta has repeatedly said that a decision blocking its transfers would force it to shut down its Facebook and Instagram offerings in Europe, but a final decision is months away.
The Irish regulator is required to feed other European regulators’ comments, including Norway’s, into its decision, and may have to trigger a formal dispute resolution mechanism if it cannot resolve the objections, which would delay the process by at least another month.
Meta could also still appeal a finalized Irish decision, which would again delay the need to trigger a Facebook and Instagram blackout in Europe.
The process buys EU and US officials critical months to agree a new transatlantic data pact to replace the now-defunct Privacy Shield. Negotiators plan to complete a new deal within the first quarter of 2023. When such a new EU-US data deal is in place, Meta and thousands of other companies would be able to use that agreement — not SCCs — to move people’s information across the Atlantic in a legal way.
A Meta spokesperson said “this issue relates to a conflict of EU and US law which is in the process of being resolved. We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us and others to keep families, communities and economies connected.”