Max Schrems: Irish penalty for meta too low

The Austrian data protection activist Max Schrems, who together with his organization sued Meta for violations of the GDPR and initiated years of proceedings, believes that the fine imposed by the Irish authority is too low. In his opinion, Meta should have paid 4.36 billion euros, not 390 million.

The back story: dispute among data protection authorities

We already reported on the back story of the order against Meta earlier this year. At the center of the dispute is the allegation that Meta unlawfully processed user data on both Facebook and Instagram. The group did not obtain explicit consent as intended, but simply stipulated the right to process the data in its terms and conditions. Data protection activist Schrems saw this as a violation of the GDPR – as did numerous data protection authorities in various EU countries. For Meta, however, only the Irish authority is responsible due to the company’s headquarters. The Irish authority, in turn, sided with Meta in the dispute and approved the action.

As a result, a dispute arose between the Irish and other data protection authorities in the EU, which culminated in the involvement of the European Data Protection Board. This committee ultimately ruled that the data processing was not legally compliant. It also ordered the Irish authority to impose a fine on Meta.

Dispute over amount of penalty for Meta

However, this was far from the end of the matter. Initially, the Irish authority wanted to impose a fine of just 59 million euros. The European Data Protection Board then intervened again. According to the committee, the fine was too low and not commensurate with the revenues generated by Meta during the period in question. The Irish authority then increased the fine to 390 million euros. This sum, in turn, is now bothering Schrems, who says Ireland gave Meta almost four billion euros as a gift.

Specifically, he refers to the fact that the actual revenue generated from the illegally collected data was not sufficiently taken into account in the penalty calculation. According to his calculation, Meta’s revenue between the third quarter of 2018 and the third quarter of 2022 in the EU was around 72.5 billion euros. A large part of this, he said, was generated only because of the illegally collected data. Taking these revenues into account and orienting the penalty to the upper limit of the discretion given by law, the penalty would consequently have to be significantly higher.

Dispute over responsibilities

There is also a dispute over competences. For example, the European Data Protection Board has instructed the Irish data protection authority to investigate Meta’s handling of data in other business areas as well. The Irish authority refuses to do so, as it does not consider the EU body to have the authority to issue instructions in this case. A legal dispute therefore seems unlikely to be avoided.

The background of the disputes are the diverging interests of Ireland and the EU. Ireland is considered a popular country for EU branches of large corporations due to its low tax rates for companies. The aim is to maintain this status by pursuing policies that are as business-friendly as possible. After all, it guarantees the country an economic boom: companies create many jobs and generate high tax revenues despite the low rates. Consequently, Ireland is not interested in imposing drastic penalties. The EU, on the other hand, has made it its goal to set limits for the large digital corporations in order to protect state spheres of influence against the interests of the private sector.