Meta, the parent company of Facebook, has been issued a €1.2bn (£1bn) fine by Ireland’s Data Protection Commission (DPC) for mishandling the transfer of people’s data between Europe and the United States. This represents the largest fine ever imposed under the EU’s General Data Protection Regulation (GDPR) privacy law. The fine is a result of Meta’s alleged violation of GDPR rules that govern the transfer of user data outside of the EU. Meta has expressed its intention to appeal the ruling, citing it as “unjustified and unnecessary.”
Concerns have emerged regarding the use of standard contractual clauses (SCCs) in moving European Union data to the US. These legally binding contracts, formulated by the European Commission, contain safeguards to ensure the continued protection of personal data during its transfer outside of Europe. However, there are apprehensions that these data flows may still expose Europeans to weaker privacy laws in the US, and that US intelligence agencies could potentially access the data.
It is important to note that this decision does not directly affect Facebook in the UK. The Information Commissioner’s Office clarified that the ruling “does not apply in the UK,” although it acknowledged the decision and stated that it would review the details in due course.
Meta argues that the wide application of SCCs makes the imposed fine unjust. Facebook’s president, Nick Clegg, expressed disappointment, stating, “We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe. This decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
While Meta contests the ruling, privacy groups have welcomed it as a significant precedent. Caitlin Fennessy, of the International Association of Privacy Professionals, commented, “The size of this record-breaking fine is matched by the significance of the signal it sends. Today’s decision signals that companies have a whole lot of risk on the table.” The ruling could lead EU companies to demand that US partners store data within Europe or consider switching to domestic alternatives, Fennessy added.
The decade-long battle surrounding the legality of transferring EU data to the US traces back to Edward Snowden’s 2013 disclosure of US intelligence agencies repeatedly accessing individuals’ information through technology companies like Facebook and Google. Austrian privacy campaigner Max Schrems initiated a legal challenge against Facebook, claiming a failure to protect his privacy rights, which sparked the ongoing dispute. The European Court of Justice (ECJ), Europe’s highest court, has consistently maintained that US surveillance laws lack sufficient safeguards to protect Europeans’ information.
In 2020, the ECJ invalidated an EU-to-US data transfer agreement, although it allowed companies to use SCCs if they ensured an “adequate level of data protection” during transfers to other third countries. It is this criterion that Meta has been found to have failed.
In response to the €1.2bn fine, Max Schrems expressed satisfaction after a decade of litigation but suggested that the penalty could have been even higher. He emphasized that Meta would need to fundamentally restructure its systems unless US surveillance laws were rectified.
Despite the record-breaking fine, experts believe that Meta’s privacy practices are unlikely to undergo significant changes. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, remarked, “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally.”
The US has recently updated its internal legal protections to provide the EU with greater assurances that American intelligence agencies will adhere to new rules governing data access. In 2021, Amazon faced a similar fine for breaching the EU’s privacy standards. The DPC in Ireland has also fined WhatsApp, another business owned by Meta, for violating data protection regulations.