Facebook’s owner Meta has been fined €1.2bn ($1.3m) by EU regulators for violating the General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on May 22, 2023.
The Irish watchdog claimed that Meta’s transfers of personal data to the US on the basis of standard contractual clauses (SCCs) since 16 July 2020 violate GDPR.
In 2020, the European Court of Justice revoked the Privacy Shield, an EU-US data flows agreement, over fears of US surveillance practices and restricted the use of SCCs.
While the EU and the US are working on a new data flow deal expected later this year, Meta and other multinational companies have continued to rely on the previous agreement illegally, the DPC claimed.
Meta has been given until October 12, 2023, to stop relying on SCCs for their transfers.
This is the largest fine imposed under GDPR, amounting to nearly twice previous record of €746m ($808m) issued to Amazon by Luxembourg’s data protection authority (CNPD) in July 2021.
Andrea Jelinek, chair of the European Data Protection Board (EDPB), justified the amount, saying that “Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
A Wake-Up Call to US Companies
According to Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, the amount of the fine is “the least important part of the story.”
“The DPC’s ruling that the standard contractual clauses are not a valid mechanism to transfer personal data to the US will have a significant impact on the ability of organizations of all shapes and sizes to lawfully share and receive data from Europe,” he told Infosecurity.
“It will also kick off a race against time for lawmakers to finalize the EU-US data transfer framework before the end of the six-month transition period that the DPC has given Meta to bring its transfers into compliance,” Machin said.
John Magee, the head of data protection, privacy & cybersecurity at DLA Piper Ireland, agreed.
“While the scale of the DPC’s record-breaking fine is certainly eye-catching, the suspension order will probably bite much harder for Meta, both operationally and commercially,” he said.
Machin also expects the upcoming new data flow agreement between the EU and the US will probably not solve the case.
“This saga has been rumbling on for more than a decade and we are still no closer to a lasting solution. Even if the data transfer framework is agreed it will almost certainly be challenged before the European Court of Justice, just like its predecessors, and there is a reasonably good chance that it will also be invalidated. In the meantime, businesses on both sides of the pond are stuck in a groundhog day that will continue to cost significant time and money while not giving the legal certainty that surely isn’t too much to ask for at this point,” Machin said.
Magee also argued that this fine could act as a wake-up call for US companies. “Leaving aside the specifics of the long-running case against Meta, the DPC’s decision also carries major implications for businesses across all sectors engaged in the day-to-day activity of international transfers of personal data. […] And while global data transfers are still possible to lawfully carry out, the DPC’s decision has now raised the stakes, focusing attention on the controls that organizations need to have in place as well as forcing businesses to think about their overall data governance strategies.”
Meta has already been issued five other fines under GDPR, totaling €2.502bn ($2.708bn) financial penalty since 2018.
May 25, 2023, will mark the fifth anniversary of the EU privacy law.