Written by staff writer.
Ireland’s Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (Meta) EUR1.2 billion (AUD1.95 billion) over the unlawful transfer of data of Facebook users living in the European Union to the United States and its storage of that data there. Meta is the owner of Facebook.
The DPC found that Meta infringed Article 46(1) of Europe’s General Data Protection Regulations (GDPR) and inadvertently disregarded an earlier ruling on data transfers from the EU by the European Union’s Court of Justice.
In addition to the administrative fine, the DPC gave Meta Ireland five months to suspend any future transfer of personal data to the US. It also gave Meta six months to bring its processing operations into compliance with Chapter V of the GDPR. This latter order requires Meta Ireland to stop processing and storing the personal data of EU-based Facebook users in the United States. The decision does not impact Meta’s other social media platforms, WhatsApp and Instagram.
While Meta is based in California, it is headquartered in Ireland, where it enjoys a lower tax rate and improved profits.
Meta says the ability to transfer data across borders is fundamental to how the open internet works. Following the DPC decision, it has criticised the 2020 European Union Court of Justice’s decision to invalidate the EU-US Privacy Shield framework.
“This decision created considerable regulatory and legal uncertainty for thousands of organisations, including Meta,” the social media giant said. “The court confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. As such, like thousands of other businesses, Meta used SCCs, believing them to be compliant with the GDPR.”
Beyza Karakoy, an analyst at Global Data, says the 2020 court decision has created uncertainty for big tech companies whose business models rely on exporting users’ data. “Meta’s fine represents the outcome of the challenge transatlantic companies face when it comes to complying with fragmented data protection laws globally,” she said.
But Karakoy also says there needs to be more certainty about the degree of US surveillance and whether any new framework would match the EU’s data protection laws. She says while Meta has six months before the data suspension order takes effect, it is unlikely any new EU-US data transfer deal will be done in time, potentially significantly disrupting the business model.
The DPC says the outcome was reached after an informal consultation process with its peer regulators across the EU. During this consultation, the regulators could not achieve a 100% consensus on what course of action to take against Meta. The DPC was not arguing for a fine, but some other regulators did. Subsequently, the matter was referred to the European Data Protection Board for a determination, which was adopted by the DPC, who acknowledged that Meta had acted in good faith, even if they did breach the Article.
Meta says it follows the same legal mechanisms concerning data transfers as other entities, including big tech companies, and adds that it is disappointed that it was singled out. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and the US,” said Meta.
The company adds that it will appeal the decision and immediately seek a stay on the deadlines.