Meta fined $1.3B for violating EU GDPR data transfer rules on privacy

Meta has been fined $1.3 billion (€1.2 billion) by the Irish Data Protection Commission (DPC) for violating the terms of the EU’s GDPR by continuing to transfer EU users’ data to the US without adequate safeguards.

Meta has failed to “address the risks to the fundamental rights and freedoms” of Facebook’s European users, the DPC said in a statement. In addition to the fine, Meta has been given five months to stop the transfer of Facebook data to the US via so-called standard contractual clauses (SCCs).

SCCs have been used by companies to transfer EU data to the US since the Court of Justice of the European Union (CJEU) ruled that the Privacy Shield agreement that was in place to facilitate the flow of data did not sufficiently protect data from US spy agencies. The ruling, in 2020, struck down the agreement and tightened requirements around the use of SCCs, a separate legal tool that was also being widely used by companies to transfer data to the US.

Ireland’s DPC noted that in its ruling to strike down Privacy Shield and tighten rules around SCCs, the CJEU said that “Data controllers or processors that intend to transfer data based on SCCs must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights (CFR).”

However, the DPC said that Meta’s SCCs do not protect EU citizens’ data from US government mass surveillance programs, potentially calling into question the ability of any company to transfer EU citizens’ data to the US.

Among other issues, “There were no avenues for either EU or US data subjects to be informed of whether their personal data was being collected or further processed, and no opportunities to obtain access, rectification, or erasure of data,” the DPC said.

The ”fundamental conflict of law” that exists between the US government’s rules on access to data and the privacy rights of Europeans is not one that Meta or any other business could resolve on its own, Nick Clegg, former leader of the UK’s Liberal Democrats political party and current Meta president of global affairs, and Jennifer Newstead, chief legal officer, wrote in a blog post.

He further said that the company was “disappointed to have been singled out” when thousands of other companies had been using the same SCCs  and, as a result, Meta will appeal the ruling in addition to what the company described as an “unjustified and unnecessary fine.”

The fine is the largest imposed by a European regulator, eclipsing the $877 million (€746 million) levied against Amazon in 2021 for similar privacy violations.

The requirement to stop the storage of the personal data of EU individuals that it transferred unlawfully is a massive undertaking to carry out, financially, technically and logistically, said Nigel Jones, co-founder of  Privacy Compliance Hub, a provider of  privacy compliance products.  It’s difficult to see how Meta can cease the transfers and bring its processing within the law in the time given. 

“[Meta’s] only commercially viable option appears to be to appeal to the courts in an attempt to further delay implementation of the decision,” he said. “In the meantime it will hope that the EU and the US can agree a mechanism known as the Data Privacy Framework that will enable Meta and other companies to legally transfer the data of EU individuals to the US.”

Replacing Privacy Shield with a new data transfer agreement

Two years after Privacy Shield was ruled invalid, in October 2022, US President Joe Biden signed an executive order that implemented rules for the Trans-Atlantic Data Privacy Framework, the new EU-US data transfer agreement.

However, while the EU Commission concluded in December 2022 that the framework provides privacy safeguards comparable to those of the EU, there is still a number of legislators that need to weigh in on the agreement before it can finally be approved.

Once the European Data Protection Board (EDPB) has given its approval, the EU Commission must then seek approval from a committee comprising representatives from EU member states, as well as the European Parliament, which has a right of scrutiny over adequacy decisions. Only then can the Commission proceed with formally adopting the legislation.

If passed, the framework will mean US companies will have to agree to comply with a detailed set of privacy regulations, including the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. The regulations essentially are supposed to ensure that data flow between the US and EU adheres to the EU’s GDPR privacy regulations.