It’s been just over five years since the Cambridge Analytica scandal embroiled Mark Zuckerberg and his social media company, Facebook, and less than one year since the organisation settled a $725m privacy lawsuit, but now a new data controversy has hit the Silicon Valley business.
The Irish Data Protection Commission (DPC), which first launched an inquiry into Meta (that’s Facebook’s parent company) back in August 2020, concluded its investigation earlier this month, and found that Meta Ireland’s transferring of personal data between Europe and the United States breached the General Data Protection Regulations (GDPR).
The DPC decided such data transfers “should be suspended”, but when fellow regulators in the European Union and the European Economic Area (or the EEA, which includes all EU member states as well as Iceland, Liechtenstein and Norway) suggested an administrative fine as well, and the DPC disagreed, it was passed over to the European Data Protection Board (EDPB).
The EDPB decided a fine was appropriate, and so as well as being required to stop future data transfers to the US (for a period of five months), Meta was ordered to meet the requirements of the GDPR within six months, and pay an “administrative fine” of €1.2bn (£1.04bn).
It’s the largest fine ever imposed for a GDPR breach.
Sign up to our free Indy100 weekly newsletter
Andrea Jelinek, chair of the EDPB, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive.
“The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Of course, Meta isn’t happy with the decision, and has confirmed it will be appealing the “unjustified and unnecessary fine” and requesting the courts pause the relevant deadlines.
In a blog post penned by Chief Legal Officer Jennifer Newstead and former Lib Dem leader turned tech bro Sir Nick Clegg (he’s their president of global affairs), the pair wrote: “The DPC initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate.
“However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying issue.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.
“It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.”
The “underlying issue” referenced by Meta concerns a framework known as Privacy Shield, which concerned data transfers between the EEA and the US and was invalidated by the European Court of Justice in 2020 due to a lack of “adequate safeguards”.
Both European and American policymakers are now working on a new data privacy framework to allow data transfers between the areas, called… the EU-US Data Privacy Framework.
Does what it says on the tin, really…
Meta also confirmed the ruling poses “no immediate disruption” to Facebook given the deadline periods imposed, and that their priority is ensuring users “can continue to enjoy Facebook while keeping their data safe and secure”.
Have your say in our news democracy. Click the upvote icon at the top of the page to help raise this article through the indy100 rankings.