Meta’s €1.2bn fine
It’s no news that Facebook’s owner, Meta, have been fined a record €1.2bn (£1bn) by the European Union (EU)for privacy violations, which has been deemed unlawful by the EU courts. Helen Dixon, Ireland’s Data Protection Commission (DPC) which regulates Meta across the EU, imposed the hefty fine which is a breach of the bloc’s General Data Protection Regulation (GDPR), making this the largest GDPR-related fine to date.The DPC continued that Meta has breached part of the European GDPR rules in the way that it had transferred personal data of Facebook users from the EU to the United States (US).
In addition to their fine, Meta have been ordered to suspend the transfer of user data from the EU to the US.Although this transfer is not immediate, Meta have been given 5 months to implement it and comply with the Irish DPC’s verdict, meaning Facebook users will not immediately see their service disrupted between the US and EU.
Meta have also been given 6 months to stop “the unlawful processing, including storage, in the US”of personal EU data already transferred across the Atlantic, meaning that user data will need to be removed from Facebook servers. The tech giant has been ordered by the DPC to stop storing personal data of EU Facebook users.
The result of the fine has stemmed from Edward Snowden in 2013 when the National Security Agency (NSA)whistle-blower revealed that US authorities were surveilling systems run by several US companies. Companies had been allowed to transfer EU customer’s data to the US to help them run their business, but only on the basis that they were protecting this data as well as if it was being stored in the EU. However, the Snowden revelations put a question mark over the whole system.
This sparked a request for the DPC to investigate how Facebook data was shared across continents which was originally refused by the DPC because the complaint was not sustainable.However, this was overruled years later by the Court of Justice of the European Union (CJEU).
The Meta scandal has been a case that has been running for 10 years. It started with Mr Maximillian Schrems, (an Austrian national and privacy campaigner) taking the original case against Facebook in protest of how his personal data was being abused by the giant tech. He had concerns resulting from the Snowden revelations in that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across from the EU to the US. He stated unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems. Over the years the case has seen its way for judicial review, has been present before the High Court, the Supreme Court and the Court of Justice of the European Union.
The DPC’s decision
The DPC, in her decision, argued that Meta infringed Article 46(1) of the GDPR by continuing to transfer EU user data to the US without having proper safeguards in place, despite a ruling by the CJEU in 2020 requiring robust protection of that information. The CJEU ruled that any data leaving the EU must have the same level of protection as it would have under GDPR when it reaches its destination outside of the EU. The article requires transfers of data to be subject to appropriate safeguards and Meta clearly failed here.
She continued that her decision was prompted by a ruling from the CJEU that classed commonly-used Standard Contractual Clauses (SCC) to be insufficient in protecting privacy rights. SCC are legal contracts that contain safeguards to ensure personal data continues to be protected when transferred outside Europe. Her decision records that Meta infringed Article 46 GDPR when it continued to transfer personal data from the EU to the US following the judgement of the CJEU in an earlier case - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. The DPC continued that the SCC “did not address the risks to the fundamental rights and freedoms of data subject that were identified by the CJEU in its judgement”.
In her initial decision the DPC stated the fine would have been lower, however this was overruled by the European Data Protection Board (EDPB) on objections from 4 of the 47 European data protection authorities. The EDPB’s intervention resulted in a bigger fine than originally planned.
Meta’s response
In response to the DPC’s decision, Meta have stated they would appeal against the decision and further seek a stay on the data transfer order. The Company’s president, Mr Nick Clegg, said Meta are disappointed to have been singled out by the DPC despite thousands of other businesses/companies in Europe using the same data transfer processes. He argued that the DPC’s decision is flawed, unjustified and sets a dangerous precedent for other companies transferring data between the EU and the US.
Meta are expecting policymakers in the EU and US to approve a new agreement, called the “Data Privacy Framework”, on how data can be shared across borders. This is likely to supersede the DPC’s decision under the current law. If the “agreement” is put in place before Meta’s deadline to stop using the current system, there will be no disruption to Facebook.
What’s been learnt from the DPC’s decision
The decision handed down by the DPC is a harsh one, however, this should hopefully give rise to other companies to ensure that they are complying with Article 46 GDPR when transferring data from the EU to another country and to avoid such harsh fines.
It’s no news that Facebook’s owner, Meta, have been fined a record €1.2bn (£1bn) by the European Union (EU) for privacy violations, which has been deemed unlawful by the EU courts.