Meta, the owner of Facebook, has been fined €1.2 billion (£1 billion) by Ireland’s Data Protection Commission (DPC) for mishandling user data during its transfer between Europe and the United States. This fine represents the largest penalty issued under the General Data Protection Regulation (GDPR), the European Union’s privacy law.
The GDPR establishes regulations that companies must adhere to when transferring user data outside the EU. Meta intends to appeal the ruling, stating that it is unjustified and unnecessary.
The crux of the matter revolves around the use of standard contractual clauses (SCCs) for transferring EU data to the US. These legal agreements, created by the European Commission, include safeguards to ensure the protection of personal data during international transfers.
However, there are concerns that these data transfers still expose European users to the less stringent privacy laws of the US, and that US intelligence agencies might gain access to the data.
It’s important to note that this decision does not impact Facebook in the UK. The Information Commissioner’s Office confirmed that the ruling “does not apply in the UK,” but stated that it would review the details in due course.
The imposition of a large fine on Meta for mishandling data transfers has raised concerns about the potential implications it may have on other companies. Many major corporations have intricate networks of data transfers that involve various types of sensitive information, such as email addresses, phone numbers, and financial data, being sent to recipients overseas. These transfers often rely on the use of standard contractual clauses (SCCs).
Meta argues that the fine is unfair, citing the widespread use of SCCs by numerous companies seeking to provide services in Europe. Facebook’s president, Nick Clegg, expressed disappointment, stating that the decision is flawed, unjustified, and establishes a dangerous precedent for the countless other companies engaged in data transfers between the EU and the US.
The concern is that this ruling may have far-reaching consequences for the broader landscape of international data transfers and potentially impact other companies that rely on SCCs for their operations.
However, privacy advocacy organizations have embraced this precedent.
Caitlin Fennessy, representing the International Association of Privacy Professionals, stated, “The magnitude of this unprecedented fine aligns with the importance of the message it conveys. Today’s decision signifies that companies face substantial risks.”
Fennessy also suggested that European Union companies might start insisting that their US partners store data within Europe or explore domestic alternatives as a result of this ruling.
In 2013, Edward Snowden, a former contractor for the US National Security Agency, revealed that American authorities had been accessing people’s data through technology companies like Facebook and Google.
Following this revelation, Austrian privacy advocate Max Schrems initiated a legal challenge against Facebook, arguing that the company had failed to safeguard his privacy rights. This legal battle sparked a ten-year dispute over the legality of transferring EU data to the US.
The European Court of Justice (ECJ), Europe’s highest court, has consistently stated that the safeguards in place in the US are insufficient to protect the personal information of Europeans.
In 2020, the ECJ declared an EU-to-US data transfer agreement invalid. However, the court did permit the use of standard contractual clauses (SCCs) as an alternative, stating that data transfers to other third countries would be valid if they ensured an “adequate level of data protection.”
It is under this criterion that Meta has been found to have failed, leading to the recent ruling against them.
When asked about the €1.2bn fine, Mr. Schrems expressed his satisfaction with the decision after a decade of legal battles, although he believed the fine could have been even higher.
He added that unless US surveillance laws are addressed, Meta would need to make significant changes to its systems.
Despite the substantial size of the fine, experts believe that Meta’s privacy practices are unlikely to undergo significant changes.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, remarked, “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally.”
The US recently updated its internal legal protections to provide the EU with greater assurances that American intelligence agencies would adhere to new regulations governing data access.
In a similar violation of the EU’s privacy standards, Amazon was also fined in 2021.
Furthermore, Ireland’s Data Protection Commission (DPC) has imposed fines on WhatsApp, another business owned by Meta, for breaching strict regulations related to data transparency with its subsidiaries.
About The Author
