Meta has been hit with a record 1.2 billion euro (US$1.3 billon) fine by the European Union following an investigation into Facebook’s transfers of personal data since July 2020.
In addition, Meta has been ordered to stop the unlawful processing and transfer of the personal data of European residents to the U.S. by October.
The fine stems from an inquiry by the Irish Data Protection Commission (DPC) acting on behalf of the European Data Protection Board (EDPB). As the Associated Press notes, it’s part of a battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations of electronic surveillance by U.S. security agencies. That included the disclosure that Facebook gave the agencies access to the personal data of Europeans.
For various legal reasons, the decision on the fine had to be settled by the EDPB, which then ordered the Irish data commission to set the total within certain parameters.
When the fine was announced, chair Andrea Jelinek said the EDPB found that Meta Ireland’s infringement “is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
In response, Nick Clegg, Meta’s president of global affairs and Jennifer Newstead, the company’s chief legal officer, issued this statement: “Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board. We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.”
In 2020, the Meta statement notes, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, an agreement between the EU and the U.S. for the transfer of personal data of European residents to the U.S.. The CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. After that, Meta, and other businesses, believed SCCs to be compliant with the GDPR. However, the Irish privacy commission found SCCs did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
The AP story notes that Brussels and Washington signed a deal last year on a reworked Privacy Shield that Meta could use, but the pact is awaiting a decision from European officials on whether it adequately protects data privacy.
In an email, Toronto privacy lawyer Barry Sookman of the McCarthy Tetrault law firm noted that the Irish data protection authority did not agree with the fine. “The decision raises grave questions about organizations’ ability to rely on European Commission adequacy findings,” he added. “The use of standard contractual clauses was endorsed by the EU. If organizations cannot rely on adequacy findings or processes, there is something extremely problematic with the EU process. It appears that the European Union processes are unreliable and cannot be relied on. This decision is desperately in need of review.”
That was echoed in an analysis by Jedidiah Bracy for the International Association of Privacy Professionals (IAPP). He quoted an expert as saying the decision not only affects Meta but any company relying on even updated SCCs to transfer data to the U.S.. The decision means data exporters should ensure data is protected in the recipient country in an equivalent way to how it is protected in the EU, the expert is quoted as saying.
Again, note that the EU has not weighed in on whether the reworked Privacy Shield meets GDPR adequacy.
In a separate analysis, two IAPP members look deeply into the legal history of the dispute.
A good part of the problem is that the U.S. doesn’t have a federal data protection law. Canada does: The Personal Information Protection and Electronic Documents Act (PIPEDA). The EU says PIPEDA holds equivalency for European data protection rules up to the implementation of the GDPR in 2018. Since then, the EU has temporarily allowed PIPEDA to be seen as equivalent with GDPR, but it expects the Canadian law to be updated. The Liberal government has proposed improving PIPEDA with Bill C-26 (the Consumer Privacy Protection Act). However, that legislation has yet to be passed — and the EU has yet to say if it meets GDPR equivalency.