META MET-A €1.2bn wall
Ireland’s Data Protection Commission (“DPC”) slapped Meta with a MEGA €1.2bn fine on Monday 22nd May following their mishandling of transferring personal data between Europe and the United States and breaching data protection laws. This is the largest fine ever to be imposed on a Big Tech group under the EU’s General Data Protection Regulation (“GDPR”) Privacy Law. Considering Meta only just reported their first-quarter revenue which was at a whopping €28.10bn and Meta has a market capitalisation of $630bn, this setback is only a tiny drop in the metaverse for the tech giant. Whilst the fine is a record for the EU, it is only a quarter of the maximum possible levy that could have been imposed.
So, what’s the backdrop?
The DPC said Meta’s use of a legal instrument called standard contractual clauses (“SCCs”) to move data to the US “did not address the risks to the fundamental rights and freedoms” of Facebook’s European users, even though the SCCs were endorsed by the European Commission.
SCCs contain contractual safeguards to ensure personal data continues to be protected when transferring data outside of Europe. As part of the EU Charter, EU citizens have a right to data privacy, however in the US data privacy is governed on a sectoral basis with no single regulator overseeing data privacy. European GDPR legislation is stricter compared to US data protection laws. US laws make it easier for law enforcement agencies to access data and harder for consumers to seek redress.
These SCCs do not limit the US government’s power to carry out surveillance and therefore cannot solely be used to comply with GDPR. Supplementary safeguards need to be implemented on top of the existing safeguards to ensure personal data is kept confidential. The DPC found that Meta did not implement effective supplementary safeguards for its data transfers between Meta Ireland and Meta Platforms in the US, and so the data transfers were found to be illegal under GDPR.
This decision comes amidst pressure within the EU for tougher data transfer rules between the EU and the US due to the lax data privacy rules that are prevalent in the US and the fact that the personal data of EU citizens are not sufficiently protected from US surveillance.
What’s next?
The DPC has given Meta five months to stop sending European user data to the US and six months to bring its data operations into compliance with GDPR by ceasing unlawful processing and storage of European users’ personal data in the US.
Will this fine force Meta to change its ways? Considering they have been fined on numerous occasions before, I think not. In the words of Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally”. This recent clampdown by the DPC serves as a warning to all companies handling personal data to get their data privacy procedures in check!