On May 22, 2023, the Irish Data Protection Commission (DPC) fined Facebook owner Mehta €1.2 billion ($1.3 million) from EU regulators for breaching the General Data Protection Regulation (GDPR). announced it was charged.
Irish watchdogs have argued that transfers of personal data to the United States under Meta’s Standard Contractual Clauses (SCC) after July 16, 2020 violated the GDPR.
In 2020, the European Court of Justice revoked the EU-US data flow agreement, the Privacy Shield, limiting the use of SCCs, citing concerns over US surveillance practices.
The EU and the US are working on a new data flow agreement due later this year, but Meta and other multinationals continue to illegally rely on the previous agreement, the DPC argued.
Meta has a deadline of October 12, 2023 to stop relying on transfers to SCC.
This is the largest fine ever imposed under the GDPR and the largest ever imposed on Amazon by Luxembourg’s Data Protection Authority (CNPD) in July 2021 of €746 million ($808 million). nearly doubled.
Andrea Jelinek, Chairman of the European Data Protection Board (EDPB), said that “Meta-IE breaches are very serious because they are about systematic, repetitive and continuous transfers”, adding that the amount justified. Since Facebook has millions of users in Europe, the amount of personal data transferred is enormous. The unprecedented fines are a strong signal to the organization that serious violations have far-reaching implications. ”
Warning Bells for U.S. Companies
The amount of the fine is “the least important part of the story,” said Edward Machin, senior attorney for Ropes & Gray’s data, privacy and cybersecurity practice.
“The DPC’s ruling that standard contractual clauses are not a valid mechanism for transferring personal data to the U.S. allows organizations of all shapes and sizes to lawfully share data and receive data from Europe,” he said. It will have a significant impact on our ability,” he said. Information security.
“It also sets off a race against time for lawmakers to finalize the EU-US data transfer framework before the end of the six-month transition period given by the DPC to make transfers compliant. deaf,” said Machin.
John Magee, Head of Data Protection, Privacy and Cyber Security at DLA Piper Ireland also agreed.
“While the size of the DPC’s record-breaking fines is certainly eye-catching, the cease and desist order will probably be an even bigger blow to Meta, both operationally and commercially,” he said.
Machin also predicts that the upcoming new data flow agreement between the EU and the US will probably not solve the problem.
“This story has been whispered for over a decade and we are still nowhere near a permanent solution. It will almost certainly be challenged to the European Court of Justice, and quite likely to be invalid as well, during which companies on both sides of the pond will spend a great deal of time and money without being given legal certainty. It’s going to continue to be costly and there’s not much we’re asking for at this point,” Machin said.
McGee also argued that the fine could serve as a wake-up call for U.S. companies. “Apart from the details of the long-running lawsuit against Meta, the DPC’s decision also has significant implications for companies in all sectors engaged in the routine activity of international transfers of personal data. […] And while global data transfers are still legally viable, the DPC decision raises risk, highlights the controls organizations need to put in place, and forces companies to consider their overall data governance strategy. is occurring. ”
Meta has already been fined five other times under GDPR since 2018, totaling €2.502 billion ($2.708 billion).
May 25, 2023 marks the 5th anniversary of the EU Privacy Act coming into force.
