Facebook parent company Meta has been hit with a record data protection fine and, in a separate move, will confirm details of further job losses at its Irish operation.
It all began back in 2013, when whistleblower Edward Snowden exposed the extent of spying by the US National Security Agency.
He revealed that US authorities had been accessing people's personal information via social media platforms.
The shockwaves rippled across the Atlantic and privacy campaigners in Europe started to ask questions about the safety of data stored by US tech firms.
One such campaigner, Max Schrems, filed a legal challenge against Facebook for failing to protect his privacy rights.
Lengthy court battles followed which ultimately saw the European Court of Justice strike down the 'Privacy Shield' data transfer agreement that had existed between the EU and US. European authorities no longer trusted the US to protect user data.
A new data transfer framework has been agreed between the US and EU and it is expected to be in place later this year.
A record fine
Today, the Irish Data Protection Commission (DPC) imposed a record fine on Facebook parent company Meta for breaches related to the transfer of data from the EU to the US.
The penalty exceeds the privacy fine of €746 million which Amazon was hit with in 2021.
The DPC was also ordered Facebook to stop data transfers to the US and to cease the use of legal instruments that it currently relies on for transatlantic information flows which are called 'standard contractual clauses'.
The ruling only relates to Facebook and not Meta's other services such as Instagram and WhatsApp.
There is a transition period before the suspension of data transfers comes into force and if Meta chooses to appeal the ruling, it could delay the ban further.
The social media giant will no doubt be hoping that the new EU-US data transfer framework will be in place by the time the suspension order kicks in, but the new protocol is not yet finalised.
"It is currently being discussed by the European Commission and US authorities, but that protocol has received criticism from European data protection bodies and the European Parliament," said Daragh O'Brien of Castlebridge Data Consultancy.
"So even if it comes into force, I would see it being subject to legal challenge over the next 18 months or so," he added.
Mr O'Brien said the ruling from the DPC could also have big implications for other companies and platforms that rely on 'standard contractual clauses' as the basis for their data transfers.
"The devil will be in the detail of the DPC's decision as to what the actual issue is and what the fundamental questions that need to be addressed are," he said.
"Therefore, it's really important when the decision becomes public that it is scrutinised by organisations to assess if they need to do anything extra in terms of their controls around data protection," Mr O'Brien said.
Will Meta pull out of Europe?
Meta has warned that a data transfer ban may force it to pull its services from Europe but most observers believe that is unlikely.
"That is just an empty threat," said Elaine Burke, technology journalist and host of the 'For Tech Sake' podcast.
"Meta is not going to leave the EU because it is way too big of a market for them to just pull the plug."
"I would be shocked if a company in the position that they are in would do something like that at a time when things are still quite rocky in tech. The instability that would wreak across the business would be wild," Ms Burke said.
"I think what Meta is really just saying is that they want regulations to be put in order, so they know what to be compliant with," she added.
Daragh O'Brien, of Castlebridge Data Consultancy, described threats by Meta to pull out of Europe as sabre-rattling.
"What they are being asked to do is to comply with the law within a jurisdiction, pulling out would be a clear signal that they cannot and will not comply with the law. That will simply prove to those who have been critical of Meta's approach in the past that they were right," Mr O'Brien said.
Happy Birthday GDPR
The fifth anniversary of the introduction of the General Data Protection Regulation (GDPR) will be marked in the coming days.
The EU law came into force in May 2018 imposing strict rules on how companies and organisations process data.
Marking five years of GDPR, the Irish Council for Civil Liberties (ICCL) released a report accusing the EU of being unable to police how big tech firms handle data.
In its assessment, the ICCL claimed that Ireland continues to be a bottleneck of enforcement delivering few draft decisions on major cross-border cases and frequently seeing its decisions overruled by European authorities.
"Europe's failure to enforce the GDPR exposes everyone to acute hazard in the digital age," said Dr Johnny Ryan, Senior Fellow with ICCL.
"It also threatens Europe's place in the world, the EU cannot be a regulatory superpower unless it enforces its own laws," Dr Ryan said.
Data Protection Commissioner Helen Dixon has repeatedly defended her office's record, recently pointing out that it concluded 17 large-scale inquiries last year and imposed record fines in excess of €1 billion.
Publishing her office's annual report in March, Ms Dixon said that the evidence flies in the face of claims that the DPC is too soft on big tech.
The record Meta fine that the DPC is due to issue in the coming days will further strengthen its argument that it is getting tough on enforcement.
"This decision is coming in the wake of the DPC receiving criticisms about its investigations into Meta and other tech companies," said technology journalist Elaine Burke.
"The scale of this fine will very much make it seem like the DPC isn’t playing soft anymore and I think that will be one of the big signals from this," Ms Burke said.
Job cuts
Separately, Meta is expected to confirm details of its latest round of job cuts in the coming days with fears over what it will mean for the company's Irish operation.
In March, Meta CEO Mark Zuckerberg announced plans to cut around 10,000 jobs globally.
Announcing the layoffs at the time, he said that they would impact members of the recruitment division immediately with cuts to follow in late April for Meta's tech groups and in late May for the company's business groups.
March's recruitment division layoffs resulted in around 50 job losses in Ireland and April's tech groups announcement led to less than 20 job losses from Meta's Irish-based data centre team.
It is feared that the number of staff in Ireland impacted by this week's business group redundancies could be much higher.
In November last year, Meta announced 11,000 job losses globally which resulted in more than 300 layoffs in Ireland.
The company now employs around 2,600 people here.
Concerns remain over privacy of data
On Wednesday, Montana became the first US state to ban TikTok.
The Chinese-owned video sharing app has been restricted on official devices by a number of countries and institutions, including the Irish Government, but Montana has taken things one step further by introducing an outright ban.
It will be illegal for app stores to offer TikTok to users within the state's borders.
Montana Governor Greg Gianforte signed the law claiming it would protect personal and private data from the Chinese Communist Party.
TikTok has repeatedly denied claims that it shares user information with China.
Ireland is playing a major role in the company's efforts to convince EU regulators that European user information is safe, with plans for two data centres in Dublin and one in Norway.
But despite reassurances on both sides of the Atlantic, an outright ban of TikTok in one US state has sparked questions about who might follow next.
Ten years on from the revelations of Edward Snowden, concerns remain over the privacy of our data.
The focus may have switched from the US to China but after a decade of legal battles, new regulations and fines, worries about who might be spying on us online have not gone away.
