> <i>“It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland - the EU Member State that did everything to ensure that this fine is not issued."</i><p>Kinda crazy how Irish regulators did everything in their power to avoid this outcome. But I guess that's why Meta and other big players are situated in Ireland, they rely on them not enforcing stuff and some meager taxes.
The team at noyb is consistenaly amazing. Makes me really happy that I'm a card carrying member. (Yes, supporters get a plastic member card. It has no function afaict, but it's the <i>one</i> useless thing I carry in my wallet at all times, just so I can call myself a card-carrying member. It's the only such card I carry, for anything.)
> These hopes may however be shattered soon. It is not unlikely that the new deal will be invalidated by the CJEU - just like the two previous EU-US data deals (“Privacy Shield” and “Safe Harbor”). Such invalidations have retroactive effect.<p>If I understood correctly, if they keep transferring data to the US before CJEU considers that the nee deal does satisfy regulations, they may just be setting themselves up to another record fine.<p>I'm fine with this.
Politically, stopping data transfers to the US is not viable, because it would impact the deal between the EU and the USA (US covers EU defence for access to the EU common market).<p>For this reason, I don't think we'll ever see a Chinese-style expulsion of US tech companies from the EU.<p>Therefore, we've seen over a decade of a dance between the judiciary banning data transfers to the US (Safe Harbor ruling, etc) and then politicians overturning these rulings before it actually impacts anything.
The decision PDF is lengthy but boils down to the following two instructions on page 73:<p>> 273. In light of the above, the EDPB instructs the IE SA to impose an administrative fine on Meta IE for the infringement of Article 46(1) GDPR that is in line with the principles of effectiveness, proportionality and dissuasiveness under Article 83(1).<p>> 279. In light of the above, the EDPB instructs the IE SA to include in its final decision an order for Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA’s final decision to Meta IE.<p>I understand the financial incentive for Ireland to be an attractive host country for tech companies, but as the article points out, this took on truly ridiculous dimensions. Even more so after May 2018, when the GDPR was published, which -- by recognizing the protection of PII as a fundamental right -- dealt a <i>massive</i> blow to the "productize your customer" business model.<p>> Ten years, three court proceedings and millions in legal costs. The Irish DPC’s role in this procedure is exceptional, as it has consistently tried to block the case from going ahead, in 2013 it rejected the original complaint as “frivolous” – requiring Mr Schrems to go all the way to the CJEU. The DPC then took the view that it cannot take action, given that Meta made use of so-called “Standard Contractual Clauses”, which was again rejected by the CJEU, who told the DPC that it must take action. Finally, the DPC tried to shield Meta from a fine and the deletion of data that is already transferred, just to be overturned by the EDPB. Overall these procedures lead to costs of more than 10 million Euro - the fine, however, will go the Irish state.
It is also a big blow to the DPC. There are also many other other questionable DPAs and national legislators, some of which are already under infringement proceedings.<p>This is big news:<p>"Furthermore, the EU's Collective Redress Directive must also be implemented this summer, which will for the first time allow collective actions by European user for GDPR violations."
I always thought this would be a cool thing to do if I ran Evil Corp...<p>A = <totally random bits><p>B = <personal data> XOR A<p>Store A in USA<p>Store B in EU<p>The data is not stored in EU, and it's not stored in USA either. It's not stored elsewhere. But Evil Corp still has it!
"The current conflict between EU privacy laws and US surveillance laws are also a problem for all other large US cloud providers, such as Microsoft, Google or Amazon"<p>Globalised tech companies caught in the middle here, hard to see how they can continue to service global markets without a huge per-country localisation effort. Ones that could do it will increase cost (passed onto users of course), those that cannot withdraw from the market, furthering the fragmentation of the global internet. May not be a bad thing overall, especially for local players and for national sovereignty evangelists