The Data Protection Commission (DPC) has hit Facebook owner Meta Ireland with a fine of €1.2 billion – the largest levied to date under GDPR rules – and ordered the social media platform to suspend the transfer of European user data to the United States and to stop the “unlawful processing, including storage, in the US” of European data already transferred in violation of European Union law.
What is the reason for this decision?
According to the DPC, Meta Ireland failed to stick to the rules that require platforms transferring user data from Europe to the US to have the necessary safeguards in place to protect that data.
Haven’t we been here before?
The latest decision is the result of a long investigation by the Irish commissioner into data transfers that has rumbled on for several years. It was kicked off initially in a legal challenge brought by Austrian privacy campaigner Max Schrems over the protection of Facebook’s European user data from US intelligence agencies when the data is transferred to the US.
That was a direct result of the Edward Snowden revelations in 2013 regarding US surveillance.
What does the ruling say?
According to the DPC’s findings, Meta updated its data-transfer arrangements after a judgment by the Court of Justice of the European Union (ECJ) that found existing rules on such transfers were not compliant with European legislation. However, these changes did not address the risks to the fundamental rights and freedoms of data subjects, the DPC found. Meta Ireland continued to transfer personal data, and as such was found to be in violation of data-protection rules.
What does Meta say about the whole thing?
The company said it was disappointed to have been “singled out” and noted thousands of other groups providing services in Europe rely on the same legal mechanism.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,” Meta’s head of global affairs Nick Clegg said.
Who does it affect?
The ruling specifically applies to Facebook transfers. Instagram and WhatsApp were not part of this particular case. However, any changes implemented as a result of this ruling are likely to impact these services going forward.
But it is not just Meta Ireland that will be affected by the ruling. It sets out the EU’s intentions on data transfers to the US, and other companies would do well to note it.
“Leaving aside the specifics of the long-running case against Meta, the DPC’s decision also carries big implications for businesses across all sectors engaged in the day-to-day activity of international transfers of personal data,” said John Magee, had of data protection, privacy and cybersecurity at DLA Piper Ireland.
“Meeting the requirements of the Schrems II case has already proved a challenge even for the most sophisticated and well-resourced organisations. And while global data transfers are still possible to lawfully carry out, the DPC’s decision has now raised the stakes, focusing attention on the controls that organisations need to have in place as well as forcing businesses to think about their overall data governance strategies.”
Is the €1.2 billion fine enough?
It is a significant penalty. But Meta could have been hit with a fine of more than €4 billion, so you could argue that it got away lightly – relatively speaking. In total, Meta has now been fined more than €2.5 billion for various breaches.
Even so, experts said the suspension order – that any future data transfers must be suspended within five months and the social media giant must within six months stop the “unlawful processing, including storage, in the US” of European data that was already transferred in violation of EU law – would probably hit much harder.
What happens now?
In the past, there were rumblings about Meta ceasing the provision of its services in the European Union if a new agreement on transatlantic data transfers was not reached. However, with the region accounting for a significant portion of revenue, and Meta operating several data centres in the region, that option looks less likely.
“Facebook’s empty threats that they will stop services in Europe are laughable,” said Mr Schrems. “It is by far the biggest market for them outside of the US. One potential option moving forward would be a ‘federated’ social network, where European data stays in their data centres in Europe, unless users chat with a US friend, for example.”
In the short term, Meta is likely to appeal the ruling, as it has done with every other fine it has been hit with in the past few years. This is the sixth big penalty the company has had imposed on it since GDPR was introduced five years ago. Prepare for this one to drag on.