The decision, which Meta plans to appeal, is the latest in a years-long legal tug-of-war. Section 702 of the Foreign Intelligence Surveillance Act allows US intelligence agencies to obtain emails and other customer communications from US companies without court approval. The privacy provisions apply only to US citizens and residents. Although the EU has repeatedly urged US companies to protect European data from such access, this has never been fully implemented.
Unless US surveillance laws are changed, Meta must now fundamentally restructure its system. At the heart of the penalty is the fundamental legal conflict between US government regulations and European data protection law. The US Congress is waiting for an update to FISA Section 702; however, the privacy rights of non-US citizens have not been addressed in the debate so far.
Time will tell whether a court will uphold this decision. However, the transfer of data to the US has long been a problem and a risk that should not be taken lightly. The decision comes at the same time as the Data Protection Conference statement, which tightens the requirement for cloud providers outside the EU or secure third countries.