After ten years of litigation and 3 court procedures against the Irish Data Protection Commission (DPC), Meta Ireland has been issued a €1.2 billion fine for the transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. of EU user data to the United States. This is the largest GDPR fine to date and comes on the 5th anniversary of the law’s implementation.
The DPC was ordered by the European Data Protection Board (EDPB) to give out the fine, following a binding dispute resolution decision on 13th April. It is the third fine imposed on the social media tech giant this year, with a €390 million charge in January for breaking rules with targeted ads and €5.5 million in March for GDPR breaches with WhatsApp messaging.
The conclusion of this EU/US data transfer case against Meta has not been helped by the DPC, who have repeatedly tried to block its advance. Max Schrems, the Austrian lawyer and privacy activist said, “the Irish regulator has done everything to avoid this decision but was consistently overturned by the European Courts…”
The EDPB chair, Andrea Jelinek said, “Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.”
In addition to the fine, Meta is required to suspend future transfers of EU data within five months, as well as having until the 12th of November to either delete or relocate EU resident data from the US back to the EU.
This verdict now raises further questions for other large organisations using cloud-based data storage and data transfer practices. Will this usher in multiple, similar actions?
The disparity between the GDPR and the US surveillance order FISA s702 is still apparent, despite the intention for limitations in EU-US data transfers to be overcome. Ben Seretny, Head of DPOs at The DPO Centre points out that “similarly problematic exporting practices go unchallenged elsewhere in the world.” And goes on to state, “Unless dramatic changes occur within the US approach to data protection, any new transatlantic data sharing mechanism is likely to find itself back in the CJEU and fighting for continued existence.”
Rob Masson, CEO of The DPO Centre asks the key question: “What does this mean for the millions of EU organisations that rely on cloud services? Google, Amazon and Microsoft also rely upon the EU’s Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) and additional supplementary measures – as Facebook did – to legitimise transfers from the EU to the US. The expected solution appears to be the imminent replacement of the Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. transfer mechanism, however there is a high likelihood of this being invalidated due to the US being unwilling to compromise in respect of its’ mass surveillance laws. It therefore appears we are about to enter a further period of EU to US data transfer turmoil.”