Meta, the parent company of Facebook, has been hit with a staggering fine of €1.2 billion (£1 billion) by the Irish Data Protection Commission (DPC) for mishandling user data during its transfers between Europe and the United States. This penalty stands as the largest ever imposed under the European Union’s General Data Protection Regulation (GDPR) privacy law.
The DPC’s decision focuses on using standard contractual clauses (SCCs), which are legal contracts approved by the European Commission. These clauses are designed to ensure that personal data remains protected when transferred outside of the EU. However, concerns have been raised about the exposure of European citizens to the weaker privacy laws of the US, and the potential for US intelligence agencies to access the data.
Meta has expressed its intention to appeal the ruling, calling it “unjustified and unnecessary.” The company argues that the broad usage of SCCs across numerous companies makes the fine unfair. Facebook President Nick Clegg stated, “This decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and the US.”
It is worth noting that this decision does not have an impact on Facebook in the UK. The Information Commissioner’s Office clarified that the ruling “does not apply in the UK” but added that it would review the details in due course.
Privacy advocacy groups have applauded the DPC’s decision, highlighting its significance in terms of risk for companies. Caitlin Fennessy from the International Association of Privacy Professionals stated, “The size of this record-breaking fine is matched by the significance of the signal it sends.” Fennessy further suggested that EU companies may demand that US partners store data within Europe or switch to domestic alternatives.
This landmark ruling comes after a decade-long battle surrounding the legality of transferring EU data to the US. Edward Snowden’s revelations in 2013 exposed American authorities’ repeated access to individuals’ information through technology companies like Facebook and Google. Privacy campaigner Max Schrems filed a legal challenge against Facebook, initiating the long-running dispute.
The European Court of Justice (ECJ) has consistently expressed concerns about the lack of sufficient checks in place to protect European data by US authorities. In 2020, the ECJ declared an EU-to-US data transfer agreement invalid, but left room for companies to utilize SCCs as long as an “adequate level of data protection” was ensured. Meta has been found to have failed this requirement.
Max Schrems expressed satisfaction with the decision after years of litigation but also stressed the need for US surveillance laws to be addressed. He stated, “Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.” However, experts believe that despite the substantial fine, Meta’s privacy practices are unlikely to undergo significant changes. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, remarked, “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally.”
In a similar vein, it is worth noting that Amazon faced fines in 2021 for breaching the EU’s privacy standards. WhatsApp, another business owned by Meta, has also been fined by the DPC for violating regulations concerning data transparency shared with its subsidiaries.
As Meta vows to contest the ruling and appeals proceed, the outcome will have substantial implications for data transfers between the EU and the US and may prompt companies to reevaluate their data handling practices to comply with GDPR regulations and protect user privacy.