The General Data Protection Regulation (GDPR), which governs the transfer of user data from the European Union to the United States, was violated by Meta, according to the Irish Data Protection Commission (DPC), which imposed a record fine of 1.2 billion euros ($1.3 billion) against the company on Monday.
All businesses involved in transatlantic data transfers should take note of the long-awaited judgement, which mandates that Meta Ireland immediately cease all further transfers of personal data to the US. The penalty imposed in this case exceeds the €746 million fine imposed against Amazon by the Luxembourg data protection authority (DPA) in July 2021, which has not yet been finalized.
Facebook, Instagram, and WhatsApp's parent company, Meta, announced that it would challenge the ruling and the penalties. As soon as the European Union and the United States agree on a new transfer mechanism, the business anticipates that the issue of transatlantic data transfers will be resolved.
In July 2020, the top court of the EU determined that American law does not offer the same level of data protection as the European Union under the GDPR. Since that time, companies like Meta have relied on standard contractual clauses (SCCs) and other systems to make sure that data transfers are compliant.
The usage of SCCs by Meta was the subject of an inquiry by the Irish DPC in August 2020, which discovered that "these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [Court of Justice of the European Union] in its judgment."
The transfers, according to the Irish DPC, contravene Article 46 of the GDPR.
Other EU DPAs were given the opportunity to comment on the decision due to the cross-border character of the proceedings. The procedure triggered the European Data Protection Board's (EDPB) ability to intervene and render a legally enforceable decision as part of the GDPR's dispute settlement mechanism. The Irish DPC's earlier conclusions that Meta acted in good faith and that a fine was not warranted were overturned by the EDPB's resolution.
According to EDPB Chair Andrea Jelinek in a press statement, "The EDPB found that [Meta's] infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."
Companies, most notably technology giants, will closely examine the result of the verdict and if the new data transfer arrangement between the United States and European Union meets the issues raised. For instance, Microsoft has issued a warning that any decision involving data transfers between the EU and the US may have an impact on its cloud-based services.
In the past, Meta has made clear that the case could affect its ability to provide Facebook, Instagram, and WhatsApp in the EU.
The Irish DPC has fined Meta and its affiliates the five highest amounts under the GDPR, excluding the proposed sanction against Amazon. Four of the fines were announced in the past nine months, including one for targeted advertising violations totaling €390 million (then $414 million) that was disclosed in January.
"We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day," wrote Nick Clegg, Meta's president of global affairs, and Jennifer Newstead, the company's chief legal officer, in a blog post.
According to Clegg and Newstead, Meta feels "singled out" in the case and the ruling is "flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and the U.S."
By fLEXI tEAM