Meta, owner of Facebook has been fined EUR1.2 billion, a record amount, for violating the European Union’s data privacy regulations. Meta was also given a deadline of six months to stop sending data to the United States.
The Irish Data Protection Commission stated that Meta violated EU rules when it transferred the personal data from European Facebook users to US servers, without adequately protecting them against Washington’s data collection practices.
This fine, which is higher than the 746 million euros Amazon was penalized for in 2021, is the largest ever issued by the EU General Data Protection Regulation.
The Commission said that the European Data Protection Board ordered them to collect the fine. Andrea Jelinek said that it “concerns systematic, repetitive, and continuous transfers”. She continued: “Facebook is used by millions of people in Europe. The volume of data that’s transferred to Facebook is huge.” The unprecedented fine sends a clear message to companies that serious violations have long-lasting consequences.
Meta, like many US-based technology companies, has its European headquarters located in Dublin. This makes the Irish privacy regulator a major player.
Jennifer Newstead, Chief Legal Officer at Meta and Sir Nick Clegg (President of Global Affairs) have both said that they will appeal the ruling. They said that the decision was flawed, unjustified, and set a dangerous precedent. “No country has done as much as the US in aligning with European rules through their latest reforms. Transfers to countries like China continue to be largely unchallenged.”
The fine is a blow to the social media giant, which has struggled with a slowing of advertising revenues, growing competition by TikTok, and a multi-billion dollar speculation about creating a “metaverse”. The company has announced two major rounds of job reductions this year. Mark Zuckerberg has declared 2023 as ” Year of Efficiency”.
The decision relates to an old question of how European companies can comply with European law and transfer data to America.
Max Schrems was an Austrian privacy activist who was the driving force behind a case that was brought in 2020 by the EU Court of Justice. The Court found that the “privacy” shield was inadequate to protect EU citizens from US surveillance. The frameworks of most companies were inadequate and, while a new framework developed, they relied upon so-called standard contractual clauses. The ruling also means that these have been found to be substandard.
Max Schrems is the online privacy activist that brought the first case against the data surveillance of the US
A lawyer called the situation a “doomsday loop” because it seems that no one can meet the standard. In March, Washington and Brussels announced that they had “in principle”, agreed on a replacement to the privacy shield. However, it has not yet been completed.
Meta’s executives stated: “We were pleased to see that the Irish commission confirmed in their decision that Meta would not be required to suspend transfers or take any other action, including deleting EU data subject data after the conflict has been resolved.”
Edward Machin, an attorney in Ropes and Gray’s data privacy and cybersecurity group, said that this is a “seismic decision” for the way the internet works and is not Meta-specific. This ruling will affect every app that stores data in America. “
John Magee said that it “raised stakes” and focused attention on the controls organisations must have in place. It also forced businesses to consider their data governance strategies.