Meta Penalized $1.3B by the Irish DPC for Illegal Data Transfers to the U.S.
This is the largest privacy-related fine issued under GDPR for any company, not just Meta.
- This week, the Irish Data Protection Commission (DPC) penalized Meta €1.2 billion ($1.3 billion) for transatlantic data transfers from the European Union to the U.S.
- The fine accompanies an order to suspend all future transfers of personal data to the U.S. in the next five months and cease the “unlawful processing, including storage, in the U.S. of personal data of EU/EEA users transferred in violation of the GDPR” in six months.
- Meta plans to appeal both the fine and the orders issued to stop data transfers.
This week, the Irish Data Protection Commission (DPC) handed the most significant privacy-related penalty yet to Facebook owner Meta. The DPC penalized Meta €1.2 billion ($1.3 billion) for transatlantic data transfers from the European Union to the U.S.
This is the largest privacy-related fine issued under GDPR for any company, not just Meta. The fine accompanies an order to suspend all future transfers of personal data to the U.S. in the nextfive months and cease the “unlawful processing, including storage, in the U.S. of personal data of EU/EEA users transferred in violation of the GDPR” in six months.
The latest fine on Meta, which also counts Instagram, WhatsApp, and Oculus among its properties, is larger than the €746 million ($888 million) penalty imposed on Amazon in 2021. Tom Kellermann, SVP of cyber strategy at Contrast Security, told Spiceworks, “This is the most severe fine issued under a GDPR violation. Meta should learn that privacy cannot exist without robust cybersecurity. That being said, the ghost of Snowden lingers.”
In February 2022, Meta suggested it would have to leave the European market. In its Form 10-K filing to the Securities and Exchange Commission (SEC), the company said it would reconsider its European business over concerns about a new transatlantic data-sharing agreement in the pipeline before taking a U-turn and suggesting otherwise.
Meta’s president of global affairs, Nick Clegg, and chief legal officer, Jennifer Newstead, confirmed in a blog post that there would be no disruption to Facebook and Instagram, given there’s an implementation period.
As of Q1 2023, Statista data indicates that Facebook is used by 411 million Europen users, down 1.67% since the same period last year. This is 13.74% of the platform’s total monthly active users (MAUs). On the other hand, Instagram has ~294 million users in Europe (Statista data), approximately 29.4% of its global MAUs.
Data sharing and transfers between the E.U. and the U.S. were previously governed by Privacy Shield. This framework was discarded by the Court of Justice of the European Union (CJEU) in July 2020 following the Schrems II case.
See More: FTC Seeks to Ban Meta From Monetizing Children’s Data
Max Schrems, an Austrian data privacy activist, alleged through a lawsuit that they have no way of knowing who will access it once the data leaves the E.U. The U.S. does not have federally-imposed GDPR-like privacy protection laws, thus stripping E.U. citizens or companies of their entitlement to appropriate compensation if their data is misused.
The lawsuit was filed in the aftermath of the explosive revelations by Edward Snowden and sought to quash the Privacy Shield framework. As a temporary measure, Privacy Shield was replaced by Standard Contractual Clauses (SCCs) while a new framework took shape.
Last year, the E.U. and the U.S. agreed on a framework “in principle” during President Joe Biden’s visit to the E.U. The new framework is expected to be signed later this year after July.
In the meantime, the Irish DPC concluded that Meta violated Article 46(1) of GDPR, which necessitates the facilitation of privacy for users and the safety of their data, which is at a level “equivalent to that provided by E.U. law.”
As such, Meta has been ordered to stop transatlantic data transfers by October 12, 2023. Richard Hollis, CEO of Risk Crew, told Spiceworks, “This is a potentially game-changing fine. It clearly signals that serious infringements bear serious consequences and also demonstrates how legislation is defining borders on the internet by mandating that data is stored within the country where it is collected, rather than allowing it to move freely through data centers across the world.”
Erich Kron, security awareness advocate at KnowBe4, commented, “It is imperative that businesses that do business internationally, or even between other states within the U.S., understand the laws that affect the information they collect and keep on hand.”
Clegg and Newstead argue that a lack of transatlantic data transfer law, caused by the absence of common ground between the E.U. and the U.S. regulations, has led European authorities to single out Meta. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the E.U. and the U.S.,” the duo wrote.
Kron told Spiceworks that a smaller company would unlikely receive such a fine. “Although your typical small organization would not receive a fine of this size, these fines are designed to create a punitive consequence for organizations that mishandle data, so the fine is never likely insignificant,” Kron concluded.
Meta plans to appeal both the fine and the orders issued to stop data transfers.
Does Meta have a valid legal ground for appeals? Share your thoughts with us on LinkedIn, Twitter, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON DATA PRIVACY AND COMPLIANCE
