Meta, formerly known as Facebook, has been fined a record $1.3 billion (€1.2 billion) by the Irish Data Protection Commission (DPC) for violating the European Union’s General Data Protection Regulation (GDPR). The social media giant was fined for failing to take sufficient measures to protect the personal data of Facebook users from the European Union (EU) that was transferred to the United States (US) without the necessary safeguards.
Meta has also been given five months to stop the transfer of Facebook data to the US via standard contractual clauses (SCCs). SCCs have been used by companies to transfer EU data to the US since the Court of Justice of the European Union (CJEU) ruled in 2020 that the Privacy Shield agreement in place to facilitate the flow of data did not protect data from US spy agencies sufficiently and tightened the requirements around SCCs, a separate legal tool used by companies to transfer data to the US.
The Irish DPC said that Meta’s SCCs do not protect the data of EU citizens from US government mass surveillance programs, potentially impacting any company’s ability to transfer EU citizen’s data to the US. The DPC further noted that there were no avenues for either EU or US data subjects to be informed if their personal data was collected or further processed, nor opportunities to obtain access, rectification, or erasure of data.
Nick Clegg, former leader of the Liberal Democrats political party in the UK and current Meta president of global affairs, and Jennifer Newstead, chief legal officer, wrote in a blog post that the “fundamental conflict of law” between the US government’s rules on access to data and the privacy rights of Europeans is not one that Meta or any other business could resolve individually. They also expressed disappointment in the decision and insisted that they would appeal the ruling.
The fine represents the largest ever imposed by a European regulator, exceeding the $877 million (€746 million) levy on Amazon in 2021 for similar privacy violations. Nigel Jones, co-founder of Privacy Compliance Hub, described the requirement to stop storing the personal data of EU individuals as a “massive undertaking” to carry out, financially, technically, and logistically, through which it is difficult to see how Meta can bring its processing within the law in the time given. He also suggested that the company’s only commercially viable option seems to be to appeal to the courts and try to further delay the decision.
Two years after the CJEU ruled that Privacy Shield was invalid, US President Joe Biden signed an executive order in October 2022 that implemented rules for the Trans-Atlantic Data Privacy Framework. The EU-US data transfer agreement provides privacy safeguards comparable to those of the EU. However, the European Data Protection Board (EDPB) must give its approval, followed by a committee comprising representatives from EU member states and the European Parliament. Only after these steps are taken can the Commission proceed to formally adopt the legislation.
If passed, US companies will be required to comply with a detailed set of privacy regulations that includes deleting personal data when it is no longer necessary for the purpose for which it was collected and ensuring continuity of protection when personal data is shared with third parties. The regulations are intended to ensure that data flow between the US and EU adheres to the GDPR privacy regulations.