A cautionary poke: $1.2 billion fine imposed on Meta is a warning sign for Israeli companies

The huge 1.2 billion euro fine that Meta received last week from the European Union following the transfer of information of Facebook users from the EU to the United States is unprecedented in its scope when it comes to violations of EU privacy laws (GDPR). It also sends a clear message to the company and other technological platforms regarding how far the EU is willing to go to protect the information of its citizens. Moreover, the fine imposed is also a clear warning sign to Israel and its high-tech industry, which may find itself in an unfavorable position similar to Meta's with one key difference: it will be much more difficult for local companies to absorb huge fines.

The fine imposed on Meta was announced by the Data Protection Commission of Ireland, but was determined by the European Data Protection Commission (EDPB) and addresses an infringement on the privacy of all residents of the Union. This decision came on the back of a 2020 ruling by the European Court of Justice, the highest court of the European Union in matters of Union law, which negated the agreement signed in 2016 that allowed American companies to transfer information from the European Union to the United States. The agreement was invalidated due to incompatibility with the Union's privacy laws, because, among other reasons, it didn't prevent U.S. spy agencies from accessing the information.

Meta Dublin office.

Despite this decision, Facebook continued to transfer information to the U.S., and as a result, the Commission fined the company. Along with the fine, Meta was banned from transferring the information collected on Facebook users in the European Union to the U.S.. The decision does not concern Meta's other platforms — Instagram, WhatsApp and Messenger.

Meta was given five months to implement the ruling, and the company also announced that it is expected to appeal it and the fine, which is expected to delay its implementation by months if not years. In addition, the U.S. and the Union are negotiating a new information sharing agreement. Signing such an agreement could render the Commission's decision irrelevant.

Even if the decision and the fine are canceled in light of a new information transfer agreement, the mere imposition of it in light of the current situation is an example of the Union's determination to protect the information of its residents.

Israel is currently negotiating with the European Union on the renewal of its compliance with the Union's privacy legislation. This compliance states that the privacy laws in Israel provide sufficient protection, and allows information about the residents of the Union to be transferred to Israel and be processed as if Israel was part of the European Union.

If the renewal of compliance is not approved, Israeli companies will actually be in the same situation as Meta, only they will suffer more serious consequences. First, there will be fewer practical barriers to prevent the Union from imposing huge fines on these companies and applying other sanctions against them - they do not have the power, the lobbying strength or the user base that makes Meta such a force.

In addition, fining a startup will have a deeper impact. Although the fine can only reach 10% of the global revenue of the fined company, Meta is an established company that usually generates significant profits. For a startup that is fighting for every cent that comes in, a 10% fine can be a death blow.

"Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos," said Meta. The statement conveniently ignored the fact that the Union is not opposed to the transfer of information between countries, but rather that information about its residents that reaches the U.S. becomes fodder for the country's intelligence organizations.

The fine is the highest imposed on a company following a GDPR violation, but is far from the first. In July 2021, Amazon was fined 746 million euros in light of an improper procedure in which it received consent from users to show them targeted advertisements. Meta itself received four previous fines in amounts between 225 million and 405 million euros, among other things for violating the privacy of children on Instagram and leaking information from Facebook.

If the unprecedented fine can be attributed to one person, the credit goes to Austrian privacy activist Max Schrems. In 2020, it was Schrems who petitioned the European Union court against an information transfer agreement between the EU and the U.S. It was the acceptance of this petition that led to Meta's current predicament. Schrems now estimates that only profound changes will allow Meta to transfer information from the EU to the U.S.

"Israel will be directly affected by the decision and the fine, both in the context of the decrease in the chance of obtaining compliance with European law and in the devastating fines that may be imposed on companies that transfer information to Israel, and because of the restriction on the transfer of information from Israel to the United States that may arise due to the European requirement," Dr. Tehilla Shwartz Altshuler from the Israel Democracy Institute told Calcalist. "This is a fine related to the fact that the American security authorities are snooping on personal information about residents of the European Union that is transferred to the U.S. in a way that makes it impossible to guarantee a level of protection equivalent to that of the GDPR. In Israel, the Privacy Protection Law has a blanket exemption for the security authorities and another exception also exists in the Shin Bet law. These exemptions do not meet EU requirements. Therefore, according to the ruling given in 2020 which resulted in Meta being fined, Israel does not meet the requirements of the European Union and it will lose the compatibility status of its data protection laws vis-à-vis the Union."

Another aspect that may make it difficult to renew compliance is the judicial reform. "The basis for decisions on compliance is also connected to the independence of the judicial system and the way a government can make use of information," said Prof. Eran Toch, head of the undergraduate program in Industrial Engineering and Management at Tel Aviv University's Faculty of Engineering. "The previous decision on compliance from 2011 includes a reference to the fact that, although Israel does not have a written constitution, there are basic laws and extensive use of precedents in the judicial system. The reform threatens this basis. Countries like Russia or Turkey did not receive compliance partly because of the lack of independence of their judicial system.

"If there is no compliance, any company that receives information from a European company has to invest a lot of resources to meet the regulatory requirements. Many companies will not be able to pay these costs, and many European companies will not want to do business with you. Amnon Shashua spoke about the dangers of losing compliance, and said that if the Union sees there is a violation of democracy, a company like Mobileye will not be able to hold user information in Israel, which will lead to a situation where the company will gradually withdraw from Israel. The Council for the Protection of Privacy in the Ministry of Justice raised the issues of compliance in an official letter with the Minister of Justice Yariv Levin, but the minister simply ignored the letter."