Ireland’s national Data Protection Commission, which regulates Meta in Europe, issued the fines —€210 million for Facebook and €180 million for Instagram—in January for breaches of the EU’s General Data Protection Regulation, or GDPR, dating back to 2018.
The Irish regulator had originally proposed much lower fines—less than 10% of the final amount. But a pan-European body, the European Data Protection Board (EDPB), which groups representatives from all national authorities, rejected the lower fines as too low to act as a deterrent.
The EDPB, a dispute resolution body with the power to issue binding judgments, asked the Irish authority to raise the fines for certain infractions.
Now Meta says it is looking at appealing the fines, a lengthy process that would run first through the Irish courts and eventually through the EU court system. The company’s chief financial officer has warned investors that the cases could weigh on first-quarter earnings and on Meta’s cross-border business.
The Irish authority is also looking at appealing the EDPB’s decision to the European Court of Justice, asserting that part of the board’s decision relating to business practices was an overreach of authority.
Lawyers who specialize in EU tech regulation told Law.com International that all of this legal back-and-forth is by design—and it is not limited to data privacy.
As EU lawmakers have increasingly waded into big, complicated issues such as digital services, digital markets, and the metaverse, they have grappled with two goals: creating consistency over the 27-nation bloc and resolving the differences in interpretation that will inevitably arise among members.
In data privacy, lawyers said, GDPR is the law, but how it is applied is still a work in progress—as cases like the ones involving Meta show, lawyers said.
“Data regulation in Europe is not so complicated, but it’s not so easy, either,” Marc Mossé, senior counsel at the French firm August Debouzy and a former attorney at Microsoft, told Law.com International.