Facebook’s owner Meta has been fined €1.2bn ($1.3m) by EU regulators for violating the General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on May 22, 2023. The Irish watchdog claimed that Meta’s transfers of personal data to the US on the basis of standard contractual clauses (SCCs) since 16 July 2020 violate GDPR.
In 2020, the European Court of Justice revoked the Privacy Shield, an EU-US data flows agreement, over fears of US surveillance practices and restricted the use of SCCs. While the EU and the US are working on a new data flow deal expected later this year, Meta and other multinational companies have continued to rely on the previous agreement illegally, the DPC claimed.
Meta has been given until October 12, 2023, to stop relying on SCCs for their transfers. This is the largest fine imposed under GDPR, amounting to nearly twice the previous record of €746m ($808m). Issued to Amazon by Luxembourg’s data protection authority (CNPD) in July 2021. Meta IE’s violation is highly significant because it involves transfers that are systematic, recurrent, and ongoing, according to Andrea Jelinek, chair of the EDPB, who defended the hefty fine.
Facebook’s millions of European users mean a huge data transmission of sensitive information. The historic fine sends a clear message to violating businesses that they will face severe repercussions. According to Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, the amount of the fine is “the least important part of the story.”
The DPC’s decision that conventional contractual terms are not an adequate mechanism for transferring personal data to the US may have far-reaching consequences for the legality of data sharing and receive by businesses of all kinds across Europe.
According to Machin, this would set in motion a race against time as lawmakers try to complete the EU-US data transfer framework before the conclusion of the six-month transition period the DPC has given Meta to bring its transfers into compliance. John Magee, the head of data protection, privacy & cybersecurity at DLA Piper Ireland, agreed.
“While the scale of the DPC’s record-breaking fine is certainly eye-catching, the suspension order will probably bite much harder for Meta, both operationally and commercially,” he said. Machin thinks the case will not be resolved by the new EU-US data transfer agreement set to go into effect soon.
It’s been over a decade since this tale began, and we still haven’t found a permanent resolution. There is a significant probability that the European Court of Justice will also invalidate the data transfer framework if it is agreed upon, just as it has invalidated its predecessors. Machin said that firms on both sides of the pond are trapped in a rut since nothing has evolved with the fact that they would benefit greatly from having legal certainty.
Meta has already been issued five other fines under GDPR, totaling €2.502bn ($2.708bn) financial penalty since 2018. May 25, 2023, will mark the fifth anniversary of the EU privacy law.
Meta received the EU’s largest privacy fine of €1.2bn and was forced to stop sending customer data to the US. On Monday, Ireland’s Data Protection Commission (DPC) fined Facebook for violating EU data protection rules. It ruled Dublin-based Facebook violated EU-to-US data transfer guidelines. Even though the transfers were mostly based on European Commission-approved contractual clauses, Meta Ireland’s changes in response to a 2020 European Court of Justice ruling “did not address the risks to the fundamental rights and freedoms” of such transfers. The Luxembourg regulator fined Amazon €746mn for privacy infringement in 2021.
The decision comes despite ongoing pressure in Europe for stricter data transfer standards to the US, with activists warning that surveillance programs still have access to personal data and other EU institutions criticizing earlier Brussels treaties with Washington as too loose. “We are disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” said Meta’s president of global relations, Nick Clegg.
“This decision is flawed, unjustified, and sets a dangerous precedent for the countless other EU-US data transfer companies.” The DPC has given Facebook EU five months to “suspend any future transfer of personal data to the US”. It also gave the group six months to stop processing and storing European citizens’ personal data in the US, contravening the bloc’s General Data Protection Regulation. A transatlantic privacy shield may be implemented once the firm appeals the ruling. In October 2022, US President Joe Biden signed an executive order outlining the White House’s compliance with a new EU-US data privacy agreement under negotiation.
Meta’s fine over data privacy breaches underscores the critical challenges that companies face around data compliance. Organizations across the world need a comprehensive understanding of what sensitive and personal data they have, where it is located, who has access to it and what specific laws and regulations apply. Lack of insights and awareness makes it difficult to effectively protect and manage the data in compliance with the myriad of today’s privacy laws. It is particularly difficult to navigate cross-border transfer of data and data sovereignty restrictions, as various jurisdictions have their own data protection laws, as is this case with Meta’s record-setting fine.
This highlights the need for automated systems that can provide deep insights into the sensitive data, as well as insights into the context around that data, such as all the regulations that apply, geographic location, access permissions, etc. With these automated insights, organizations can intelligently monitor and alert for potential violations, as manual processes are often inadequate given the sheer volume of sensitive data companies handle.