Meta has confirmed it will be appealing a €1.2 billion ($1.3 billion) GDPR fine imposed on it this week for the unlawful transfer of Europeans’ data to the US.
The Irish Data Protection Commission’s (DPC) decision was published on Monday morning and forces the company to suspend data transfers between the EU and US due to concerns over EU citizens’ data privacy.
The DPC said that current data transfer practices at Facebook “did not address the risks to the fundamental rights and freedoms of data subjects” and were in breach of the GDPR.
The ruling follows a long-running question over citizens’ data privacy and how Meta-owned Facebook conducts data transfers between the EU and US.
Data transfers were previously protected by the transatlantic ‘Privacy Shield’, which was originally created to allow secure data transfers between the EU and US, which operate in different data protection jurisdictions.
This was later invalidated after a lawsuit between Meta (then called Facebook) and Max Schrems concluded that the standard offered too much leniency to US surveillance laws.
The DPC noted that Meta used updated standard contractual clauses (SCCs) that were adopted by the European Commission in 2021 with the transfers in question, along with “additional supplementary measures”.
However, these were still deemed to have not safeguarded the rights and freedoms of European data subjects.
RELATED RESOURCE
Ever since Privacy Shield was rendered invalid, businesses large and small have been left without clear guidance regarding cross-continent data transfers.
The EU is still yet to finalize a clear mechanism for safe and secure data transfers between it and the US, although one is expected before the end of the year.
Meta described the ruling as “unjustified and unnecessary” in a scathing response.
Nick Clegg, president for global affairs at Meta, criticized the DPC’s decision in a blog post, saying there is a “fundamental conflict of law between the US government’s rules on access to data and European privacy rights”.
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Clegg wrote alongside chief legal officer Jennifer Newstead.
The Computer & Communications Industry Association (CCIA) warned that the ruling will exacerbate confusion over current data transfer protocols for US-based firms.
“Since an EU Court invalidated the previous EU-US data framework back in 2020, European and US organizations and companies of all sizes have been left without clear guidelines for transatlantic data transfers,” the non-profit said in a statement.
“To this day, that uncertainty continues to affect not only companies, but also non-profits, charities, governments, and others. Data flows between the EU and US make up the busiest internet route in the world, and are vital to transatlantic trade. Yet, today’s decision to suspend data transfers from the EU to the US ignores that reality.”
Last year, the Biden administration signed an executive order introducing new data protection safeguards for European citizens. The CCIA said these should “pave the way for a new and strengthened EU-US data privacy framework”.
However, lawmakers on both sides of the Atlantic “still need to finalize the framework before it can come into force”.
“Today’s legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU member states. We call on the 27 EU national governments to approve the Commission’s adequacy decision without delay,” said Alexandre Roure, public policy director at CCIA Europe.
The fine issued to Meta is the largest ever handed out since the GDPR was enacted in 2018.
It also comes the day before the landmark regulation’s fifth anniversary.
The previous record GDPR fine was handed to Amazon in 2021 by Luxembourg’s data protection regulator.
The tech giant was ordered to pay €746 million ($807 million) and the details of the case were never revealed in any great detail.
At the time the fine was nearly 15 times larger than the then-current record fine issued to Google in 2019 by the French data protection regulator CNIL.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
UK businesses patchy at complying with data privacy rulesNews Companies need clear and well-defined data privacy strategies
-
Data privacy professionals are severely underfunded – and it’s only going to get worseNews European data privacy professionals say they're short of cash, short of skilled staff, and stressed
-
Four years on, how's UK GDPR holding up?News While some SMBs are struggling, most have stepped up to the mark in terms of data governance policies
-
Multicloud data protection and recoverywhitepaper Data is the lifeblood of every modern business, but what happens when your data is gone?
-
Intelligent data security and managementwhitepaper What will you do when ransomware hits you?
-
Why Meta could face a hefty EU fine over its 'pay or consent' ad modelNews The European Commission said Meta is failing to offer users a valid option for equivalent services that doesn't involve tracking and targeting
-
Meta delays plans to train AI using European user dataNews Meta won't continue with plans to train AI models using European user data following backlash from privacy groups
-
Firms have paid out more than $4.8 billion in GDPR fines since 2018News Tech giants headquartered in Ireland attract the biggest GDPR fines
