Irish regulator finds Meta failed to shield Europeans’ personal data sufficiently from Washington’s surveillance practices
Meta (formerly Facebook) has been fined €2.1 billion by Ireland’s Data Protection Commission (DPC) for breaking the European Union’s rules on moving personal data beyond its borders. This is the biggest fine so far for breaching the EU’s General Data Protection Regulation (GDPR), which will be five years old on 25 May.
The previous record holder was Amazon (Luxembourg) at €746 million.
The DPC found Meta had contravened the conditions for moving data overseas under the GDPR, in this case to Meta’s data centres in the US. The company has been instructed “to suspend any future transfer of personal data to the US within the period of five months from the date of notification”.
Also “to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA [European Economic Area which includes Iceland, Liechtenstein and Norway] users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland.”
Meta disagrees
Meta said in a statement, penned by Meta’s President of Global Affairs, Nick Clegg (a former UK Deputy Prime Minister while leader of the Liberal Democrat Party) and Chief Legal Office, Jennifer Newstead “We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts”,.
They insist the company believes it acted legally, and in the same way as many others – that is, using a legal instrument known as standard contractual clauses (SCCs) – and questioned the legality of the ruling and the process that led to it.
Sub-standard contractual clauses
The DPC acknowledged that Meta Ireland had transferred data “on the basis of the updated standard contractual clauses that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland,” but added “these arrangements did not address the risks to the fundamental rights and freedoms” of users.
In 2020, the European Court of Justice nullified the data flows agreement between the EU and the US, known as the Privacy Shield, because it didn’t approve of US intelligence services’ surveillance practices. At the same time, it imposed stricter requirements regarding the use of standard contractual clauses, which in the DPC’s opinion were not met.
The EU and US have struggled to find a mutually acceptable arrangement but are now putting the finishing touches on a new data flow approach, which could come into force any time between July and October this year. The DPC has given Meta until 12 October to stop using SCCs for data transfers to the US.