“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the internet.” – Gary Kovacs. In the digital ocean of today, the recent fine imposed on Meta Platforms Ireland by Ireland’s Data Protection Commission (DPC) serves as a stark reminder of this sentiment. The world has anticipated the decision in this case for a long time, and we will feel its global impact regarding cross-border data transfers. Let’s discuss Meta’s record GDPR fine for data transfers.

The case against Meta Platforms Ireland

The DPC’s record-breaking €1.2 billion fine is a wake-up call for organisations worldwide. The case centres on Meta’s violation of Chapter V of the GDPR, which governs the transfer of personal data to countries outside of the European Economic Area (EEA). The DPC’s orders for Meta to stop data transfers and bring its processing operations into compliance within six months underscore the seriousness of the violation. The DPC concluded that the Standard Contractual Clauses (SCCs) and additional safeguards implemented by Meta to justify their data transfers from the EU to the US were insufficient to ensure adequate data protection. The DPC initially argued that a fine was inappropriate for non-compliance and emphasised the importance of ensuring future compliance. However, the European Data Protection Board (EDPB) disagreed and effectively viewed the fine as a punitive deterrent. They have arguably made an example of Meta as a warning to other businesses. Not imposing a fine would suggest that past infringements would go unaddressed. The EDPB instructed the DPC to determine the fine between 20-100% of the maximum fine under GDPR, considering factors such as the volume of data transferred, the duration of non-compliance, and the level of negligence.

Meta’s response

Meta, however, is not taking this lying down. Nick Clegg and Jennifer Newstead, prominent figures at Meta, have voiced their intent to appeal the DPC’s decision. They argue that there is a conflict of law between US data access rules and European privacy rights, a contention that will undoubtedly fuel further debate. Meta argued that singling them out for a fine while not fining others amounted to discrimination and violated equal treatment principles. They also highlighted that they acted in good faith throughout the process.

Implications for other organisations in other countries

This ruling isn’t just a wake-up call for Meta or anyone transferring personal data from the EU to the US; it’s a siren for all organisations transferring personal data from the EU to any other country outside EEA based on SCCs without an adequacy decision. The ruling also raises questions about the feasibility of a risk-based approach to data transfers and the impact on the UK’s adequacy arrangements.

Potential consequences of Meta’s record GDPR fine for data transfers

The consequences for Meta and its users could be far-reaching. If the European authorities force Meta to stop using SCCs without an alternative, it may consider shutting down services like Facebook and Instagram in Europe. Furthermore, the decision effectively closes the door on other transfer options for Meta. It highlights the need for organisations to either change US law or cease processing in the US altogether.

A future adequacy decision

The Meta case is a landmark in data protection enforcement, highlighting the tension between US security surveillance practices and European attitudes towards privacy. As Meta plans to appeal the decision, the European Commission aims to finalise the EU-US Data Privacy Framework adequacy by summer in the Northern Hemisphere. While the framework may provide a solution going forward, it may not retroactively address the rationale behind the enforcement decision.

Actions you can take next