GDPR's fine on Meta in 4 key points

The Irish Data Protection Authority has fined Meta Platforms Ireland Limited 1.2 billion euros following an inquiry into its data transfers to the US. The fine is the largest ever under GDPR.

GDPR's fine on Meta in 4 key points

The Irish Data Protection Authority has fined Meta Platforms Ireland Limited 1.2 billion euros following an inquiry into its data transfers to the US. The fine, the largest ever under GDPR, was imposed for Meta's use of standard contractual clauses to transfer personal data since July 16, 2020. 

What happened? 

In April 2023, the European Data Protection Board (EDPB) adopted a Binding Decision that instructed the Data Protection Commission (DPC) to impose an administrative fine on Meta Platforms Ireland Limited (Meta IE) for its violation of the General Data Protection Regulation (GDPR) in the transfer of personal data of European users.  

The EDPB based its decision on objections raised by multiple supervisory authorities, and it instructed that the fine should range from 20% to 100% of the maximum allowed.  

Based on the Binding Decision, on May 22, 2023, the DPC ordered Meta IE to comply with the GDPR and to pay a 1.2 billion euro fine. 

Ph056_Euros

What is Meta? 

In October 2021, the social networking giant Facebook changed its name to Meta, along with a new design. According to its CEO Mark Zuckerberg, the reason behind keeping the emphasis away from the name Facebook was to refocus the company towards the next digital frontier, which is the merging of different digital worlds into the "metaverse."  

However, the timing of the name change coincided with the need of the company to step away from the problems that Facebook, as a social network, was having with the spread of false information and hate speech and the Cambridge Analytica scandal. 

Ph054_Meta

What is the GDPR?

The General Data Protection Regulation (GDPR) is the strictest law in the world about privacy and security. Even though it was written and passed by the European Union (EU), it requires groups anywhere to follow specific rules if they target people in the EU or collect data about them. Those who break the GDPR's privacy and security rules will have to pay huge fines. 

With the GDPR, Europe is making it clear that it takes data privacy and security very seriously at a time when more people are putting their personal information in the cloud, and security breaches happen every day.  

Meta IE was found to be infringing Article 46(1) GDPR, which states that a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor "has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available." 

Ph055_GDPR

What's the long story?

The Safe Harbour Decision, adopted in July 2000, established arrangements for EU-US data transfers. While it didn't consider the US as providing adequate data protection, it allowed transfers if the receiving entity self-certified compliance with the safe harbor privacy principles and guidelines published by the US Department of Commerce. As a result, the safe harbor arrangements became widely used by EU data controllers for legitimizing data transfers to the US. 

In June 2013, Edward Snowden, a contractor hired by a third party to do work for the US National Security Agency ("NSA"), leaked documents that showed the NSA ran at least one program that spied on the internet and phone systems of some of the world's biggest tech companies, like Microsoft, Apple, Meta US, and others. 

Later that month, Maximillian Schrems filed a complaint with the Data Protection Commissioner (DPC), arguing that transferring personal data from Meta Ireland to its US parent, Meta US, was unlawful in light of the Snowden document disclosure. The Commissioner initially declined to investigate the complaint, citing the binding nature of the Safe Harbour Decision. Schrems challenged this decision through a judicial review application seeking to overturn the Commissioner's refusal and request an investigation into the complaint. 

In response to concerns about the Snowden document disclosure, the US and the European Commission established an ad hoc EU/US Working Group in July 2013. The purpose was to investigate the scope of surveillance programs, the volume of data collected, oversight mechanisms, and levels of protection in the US and EU/EEA. In November 2013, the European Commission published a report based on the Working Group's findings, stating that data was collected through directives to major US internet service providers and technology companies, including Microsoft, Yahoo, Google, and Facebook. 

The report identified several concerns regarding US law, including: 

  • The existence of legal bases allowing large-scale collection and processing of transferred personal data for foreign intelligence purposes;  
  • Differences in safeguards between EU and US data subjects, with US persons benefiting from constitutional protections that don't apply to EU citizens;  
  • Different levels of data protection for different types of data and stages of processing;  
  • Lack of clarity regarding other legal bases and applicable conditions; and 
  • Both EU and US data subjects lacked avenues to be informed about the collection and processing of their personal data. 

Schrems and the DPC reached a settlement regarding the investigation of the complaint. They agreed that the complaint investigation would be conducted separately and solely by reference to applicable provisions of the GDPR and that the temporal scope would take May 25, 2018, as its starting point. 

In August 2020, the DPC issued a preliminary draft decision. It served as a notice to Meta IE of commencing an own volition inquiry, setting out its scope and legal basis. Schrems was invited to make submissions. In February 2022, the DCP issued a revised preliminary draft and shared it with other supervisory authorities concerned, several of which raised objections. The dispute was then referred in September to the EDPB. 

Ph057_Data privacy

In April 2023, the EDPB adopted a Binding Decision regarding the dispute submitted by the Irish supervisory authority on data transfers by Meta IE for its Facebook service. 

With its decision, the EDPB instructs the DPC to impose an administrative fine on Meta IE on the assessment of factors such as: 

  • "A very high number of data subjects is affected, and this already high number can keep increasing until the infringement is effectively brought to an end," and "that this duration of infringement is significant." 
  • "Meta IE committed the infringement at least with the highest degree of negligence." 
  • "There are enough elements in the analysis of this factor which confirm Meta IE's high degree of responsibility." 
  • "A large number of categories of personal data have been affected by the infringement, including special categories of personal data under Article 9 GDPR." 
  • "It is the business model which must adapt itself and comply with the requirements that the GDPR sets out in general and for each of the legal bases and not the reverse." 

Based on the Binding Decision, the DPC made its own decision based on its findings. In summary, they are: 

  • The Data Transfers by Meta IE are made in circumstances that fail to guarantee a level of protection to data subjects that is essentially equivalent to that provided by EU law, infringing Article 46(1) GDPR; 
  • Order Meta IE to bring its processing operations into compliance with Chapter V GDPR by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR;  
  • Impose an administrative fine of €1.2 billion on Meta IE in respect of the finding of infringement of Article 46(1) GDPR. 

What can we learn?

The DPC's decision has significant implications for data privacy worldwide, highlighting the increasing scrutiny and challenges faced by organizations involved in international data transfers. It underscores the need for robust data protection frameworks that ensure individuals' privacy rights, especially in data transfers to countries with different privacy standards. The case serves as a reminder that data privacy is a fundamental right and that cross-border data transfers must adhere to stringent safeguards to protect individuals' personal information. 

This development should prompt organizations to reassess their data transfer mechanisms, adopt alternative safeguards, and comply with stricter regulations.