The Irish Data Protection Commission (DPC) on Monday announced a record penalty of 1.2 billion euros (U.S. $1.3 billion) against Meta regarding its transfers of user data from the European Union to the United States in violation of the General Data Protection Regulation (GDPR).
The long-awaited decision is of significant relevance to all companies engaging in transatlantic data transfers, as the ruling requires Meta Ireland to suspend any future transfer of personal data to the United States within five months. The penalty in the case is the largest under the GDPR, surpassing the yet-to-be-finalized €746 million (U.S. $806 million) fine assessed against Amazon by the Luxembourg data protection authority (DPA) in July 2021.
Meta, the parent company of Facebook, Instagram, and WhatsApp, said it would appeal the decision, including the fine. The company expects the issue of transatlantic data transfers will be soon addressed once the European Union and United States reach agreement on a new transfer framework.
The details: The EU’s top court ruled in July 2020 that U.S. law does not provide a similar level of data protection as the European Union under the GDPR. Since then, businesses like Meta have leaned on standard contractual clauses (SCCs) and other mechanisms for ensuring compliant data transfers.
The Irish DPC launched an investigation in August 2020 regarding Meta’s use of SCCs, finding “these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [Court of Justice of the European Union] in its judgment.”
The Irish DPC found the transfers violated Article 46 of the GDPR.
Given the cross-border nature of the proceedings, other EU DPAs were given the chance to weigh in on the decision. The process triggered the dispute resolution mechanism of the GDPR, under which the European Data Protection Board (EDPB) steps in to issue a binding resolution. The EDPB’s resolution overruled the initial findings of the Irish DPC, which had determined Meta acted in good faith and that a fine was unjustified.
“The EDPB found that [Meta’s] infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous,” said EDPB Chair Andrea Jelinek in a press release. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
Compliance considerations: The outcome of the ruling and whether the new data transfer framework between the United States and European Union addresses the concerns raised will be closely monitored by companies, most notably technology giants. Microsoft, for example, has warned its cloud-based services could be impacted by any determination regarding EU-U.S. data transfers.
Meta has long disclosed its ability to offer Facebook, Instagram, and WhatsApp in the European Union was at stake regarding the case.
Excluding the proposed Amazon fine, the five largest penalties under the GDPR have been levied by the Irish DPC against Meta and its subsidiaries. Four of those fines have come in the last nine months, including €390 million (then-U.S. $414 million) in penalties announced in January for targeted advertising breaches of the GDPR.
Company response: “We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” wrote Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, the company’s chief legal officer, in a blog post.
Clegg and Newstead added Meta felt “singled out” by the case and that the decision is “flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.”