Another heavy fine on Facebook owner Meta for egregious privacy violations prompts yet more anxiety about the giant company’s stewardship of personal data entrusted to it by legions of users. Mark Zuckerberg’s €590 billion empire stands accused of the “highest degree of negligence” by carrying on massive transfers of Facebook data to the US in defiance of EU law, after a 2020 ruling in Europe’s highest court that struck down the arrangement.
Meta has cried foul, saying it will appeal the ruling to the High Court. The company claims it was “singled out” for using what it cast as the “same legal mechanism” for transfers as thousands of other companies. Most likely there are indeed issues for other groups who rely on provisions known as standard contractual clauses, although agreement is near on a new EU/US deal to supersede the system dismissed by the court.
But it is not good enough for Meta to trivialise serious findings that systematic data transfers broke the law. These are serious issues for a global business whose abundant profit is predicated on the use of data it harvests from billions of people. This case centred on huge transfers of photographs, videos and messages, the stuff of everyday life with family and friends. After an unambiguous court ruling, the lack of basic legal grounding for these transfers was glaring.
This helps explain the magnitude of the record €1.2 billion fine imposed by Helen Dixon, Ireland’s data protection commissioner. She is responsible for pan-European oversight of Meta because its EU headquarters is in Dublin and had previously levied €1.3 billion in fines on the company in six separate privacy cases. On this occasion, however, Dixon argued against a fine on the basis that an order to cease US transfers would be sufficient. Regulators in Austria, Germany, France and Spain disputed that approach, ultimately leading the European Data Protection Board to overrule her.
Thus the penalty handed out in Dixon’s name, which she will have to defend in the High Court, was issued under instruction from Brussels. This may well embolden critics who claim that her office is too slow to respond to Big Tech privacy violations and soft on sanctions. She has always dismissed such complaints, while navigating byzantine procedures in Europe’s general data protection regulation that make long delays inevitable whenever companies must be held to account.
In her original draft ruling, the Irish regulator found Meta had acted in good faith when continuing transfers after the fateful court judgment. This was rejected by fellow regulators, who found the company’s actions were intentional. It seems reasonable to say the good faith argument must also be gauged against Meta’s long track record of privacy violations.