Meta hit with €1.2bn fine over EU-US data transfers

Meta has been hit with a record €1.2bn (£1bn) fine by the Irish Data Protection Commission (DPC) for failing to comply with GDPR.

The DPC said that Meta Ireland infringed Article 46 (1) of GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s (Court of Justice of the European Union) judgement in the ‘Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems’ case, without putting sufficient safeguards in place to protect Facebook’s European users from US data surveillance practices. It also said that data transfers between the EU and the US should be suspended within six months from the ruling.

The CJEU’s 2020 ruling found that a previous EU-US privacy shield was not GDPR-compliant because it did not protect EU citizens’ data from US surveillance.

“While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (SCCs) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment,” the DPC said.

Reacting to the fine, Meta said it would appeal the ruling “including the unjustified and unnecessary fine” and seek a stay of the orders through the courts.

In a post on the Meta website written by Nick Clegg, President, Global Affairs and Jennifer Newstead, Chief Legal Officer, Meta said: “At the time of its decision in 2020, the CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. As such, like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR)…

“We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe. 

“The DPC initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate. However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying issue. This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”

Edward Machin, a senior lawyer in Ropes & Gray’s Data, Privacy & Cybersecurity Practice, said this is a rare case of the first billion euro fine under the GDPR being the least important part of the story.

“The DPC’s ruling that the standard contractual clauses are not a valid mechanism to transfer personal data to the US will have a significant impact on the ability of organisations of all shapes and sizes to lawfully share and receive data from Europe,” said Machin. “It will also kick off a race against time for lawmakers to finalise the EU-US data transfer framework before the end of the six-month transition period that the DPC has given Meta to bring its transfers into compliance.”

“This saga has been rumbling on for more than a decade and we are still no closer to a lasting solution. Even if the data transfer framework is agreed it will almost certainly be challenged before the European Court of Justice, just like its predecessors, and there is a reasonably good chance that it will also be invalidated. In the meantime, businesses on both sides of the pond are stuck in a groundhog day that will continue to cost significant time and money while not giving the legal certainty that surely isn’t too much to ask for at this point.”

And Harry Keen, CEO and Co-founder of generative AI startup, Hazy, said should focus big tech on getting data privacy right. He said: Since 25 May 2018, over 1,600 fines have been issued to companies, organisations and private individuals for breaching these regulations for a combined sum of €2.78bn – not including the latest sanction. Amazon, Facebook/Meta, Google, and subsidiaries of these major companies have all been hit with hefty fines into the hundreds of millions of euros because of GDPR breaches – before the latest billion-euro fine handed to Meta. Many assume technology giants have the expertise and resource to mitigate breaches, but they have been on the same learning curve as everyone else, as technology has radically outpaced regulation.

“World events and an unprecedented reliance on technology has seen the last five years rival decades worth of progression. But what baggage have we inherited with that progression? An uncontrollable lack of knowledge on how to manage and regulate new, disruptive technologies and how to safeguard invaluable customer data.

“The technology industry must work closely with regulators to redress the current imbalance between the rate of innovation and ability to regulate technology, but not stifle how it creatively evolves. Five weeks feels like five years now, and only through continued collaboration and consistent conversation between businesses, regulators, and governments can we strive for a future where customer data is safeguarded effectively in an increasingly digital world.”