Ireland’s Shifting Fines Against Meta Reflect Growing Pains for EU Data Privacy Regulation
“Data regulation in Europe is not so complicated, but it’s not so easy, either.”
“Laws are like sausages,” Otto von Bismarck, the 19th century Prussian statesman, is believed to have said. “It is better not to see them being made.”
Big Tech companies operating in the European Union (EU) in the 21st century do not have that option. In fact, their activities and how they are regulated are making European law in public on a daily basis—with all the confusion, frustration, and financial risk that implies, lawyers say.
The latest example of this concerns Meta, the parent company of Facebook and Instagram, which was hit this year with two multi-million-euro fines for breach of EU data-privacy rules.
Ireland’s national Data Protection Commission, which regulates Meta in Europe, issued the fines —€210 million for Facebook and €180 million for Instagram—in January for breaches of the EU’s General Data Protection Regulation (GDPR) dating back to 2018.
The Irish regulator had originally proposed much lower fines—less than 10 percent of the final amount. But a pan-European body, the European Data Protection Board (EDPB), which groups representatives from all national authorities, rejected the lower fines as too low to act as a deterrent. The EDPB, a dispute resolution body with the power to issue binding judgments, asked the Irish authority to raise the fines for certain infractions.
Now Meta says it is looking at appealing the fines, a lengthy process that would run first through the Irish courts and eventually through the EU court system. The company’s CFO has warned investors that the cases could weigh on first-quarter earnings and on Meta’s cross-border business.
The Irish authority is also looking at appealing the EDPB’s decision to the European Court of Justice, asserting that part of the board’s decision relating to business practices was an overreach of authority.
Lawyers who specialize in EU tech regulation told Treasury & Risk’s sister publication Law.com International that all of this legal back and forth is by design—and it is not limited to data privacy.
As EU lawmakers have increasingly waded into big, complicated issues such as digital services, digital markets, and the metaverse, they have grappled with two goals: creating consistency over the 27-nation bloc and resolving the differences in interpretation that will inevitably arise among members. In data privacy, lawyers said, GDPR is the law, but how it is applied is still a work in progress—as cases like the ones involving Meta show, lawyers said.
“Data regulation in Europe is not so complicated, but it’s not so easy, either,” Marc Mossé, senior counsel at the French firm August Debouzy and a former attorney at Microsoft, told Law.com International.
Benoît Barré, a partner and head of digital law at Le16 Law in Paris and a former top counsel for Apple, noted that coordination mechanisms are an integral part of regulation in Europe in many domains, including cybersecurity, banking and finance, and digital services. Boards like the EDPB were “set up to ensure cooperation between member states in the way they enforce regulation,” Barré said. “They are actually a tool for consistency.”
Bodies of EU law fall into two broad categories: directives, which must be enacted into national law, and regulations, which are effective immediately and uniformly across all EU countries.
Before GDPR, data protection in the EU fell under a directive written in 1995 that, by definition, “gave a lot of discretion to member states as to how to apply the rules,” according to Jan Spittka, a partner and head of the German data protection and privacy group at Clyde & Co. in Düsseldorf. Because it is a regulation, GDPR “was supposed to avoid fracturing,” Spittka said. “At least that’s the theory.
“But when you look at GDPR, it’s a project on a scale that has never been attempted before,” he continued. “It has 99 articles, 173 recitals, it was four years in the making. It’s a very complex piece of legislation.”
Because of that complexity, the framers of GDPR took into account that “each national data protection authority will have its interpretation of the regulation, as would be true for any regulator or court,” Mossé said. “It could be different from country to country in terms of mindset, rationale, culture.”
The pan-European data protection board, he added, is how the framers “tried to organize harmonization of this interpretation to avoid any gaps, and the European Court of Justice can also play a key role in ensuring the consistency of the system.”
See also:
- How GDPR May Actually Be Good for You
- Final Preparation for GDPR
- How GDPR Is Affecting Business
- The Europeans Are Winning the Global Privacy Debate
Each national authority is represented with equal weight on the EDPB, which has a rotating presidency. National authorities are obliged to submit their draft decisions to the board, where any other “concerned” national authority can raise an issue. If the parties can’t resolve the issue, the board will mediate and come up with a compromise binding decision.
The first time the dispute resolution procedure was triggered was in 2020, also against the Irish data authority. The EDPB ordered a near-doubling, to €450,000, of a fine on Twitter for a 2018 data breach. Authorities in Austria, Italy, and Germany objected to the fine proposed by the Irish authority of €135,000 to €275,000 as “insufficiently dissuasive.”
Ireland often finds itself in data-related disputes because its data protection commission is the lead regulatory authority for companies with European headquarters in the country—a group that includes many Big Tech companies including Meta, Google, Apple, Twitter, and TikTok.
As more cases move forward, lawyers said, other national authorities will inevitably have their positions scrutinized by their peers and the courts for interpretation and consistency with EU rules. “This is, in the end, how we get harmonized law,” Spittka said. “Looking at a chunk of rules like GDPR, we’re still in this process.”
Barré added that judicial review on the merits is important not only in giving lawyers guidance that they can pass on to their clients, but also to reassure companies wanting to do business in Europe. “It’s important to remember that Europe, as part of the big scheme of things, is in competition with other economies,” he said. “You need to have predictability and consistency. That’s what regulation in Europe is about.”
And of course, lawyers noted, data privacy is not the only sausage in the EU’s kitchen. “If you think this looks complicated,” Mossé said, “wait until we see AI [artificial intelligence] regulation.”