The owner of Facebook, Meta, has been fined €1.2bn (£1bn) for mishandling people’s data.
This fine is the largest imposed under the EU’s General Data Protection Regulation privacy law by Ireland’s Data Protection Commission (DPC).
The GDPR sets out rules that companies must follow when transferring user data outside the EU.
As a result of the “unjustified and unnecessary” ruling, Meta says it will appeal.
The decision hinges on the use of standard contractual clauses (SCCs) when moving data from the European Union to the United States.
As a result of these legal contracts, created by the European Commission, personal data is safeguarded when transferred outside the European Union.
However, these data flows still expose Europeans to the US’s weaker privacy laws, and US intelligence could access them.
Facebook in the UK is not affected by this decision. The Information Commissioner’s Office told the BBC that the decision “does not apply in the UK”, but had “noted the decision and will review the details in due course”.
It is a dangerous precedent
Many large companies use SCCs to transfer data – including email addresses, phone numbers, and financial information – to overseas recipients.
Meta says the fine is unfair due to their broad use.
“I am disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” said Facebook president Nick Clegg.
In our view, this decision is flawed and unjustified, and it sets a dangerous precedent for other companies that transfer data between the EU and the US.”
Alternatives at home
However, privacy groups have welcomed the precedent.
In a statement, Caitlin Fennessy, of the International Association of Privacy Professionals, said: “The significance of this record-breaking fine matches its size.”
There is a lot of risk on the table for companies after today’s decision.”
As a result, EU companies may require their US partners to store data within Europe – or switch to domestic alternatives.
The battle that has lasted decades
As Edward Snowden revealed in 2013, American authorities repeatedly accessed people’s information via technology companies such as Facebook and Google.
Max Schrems, an Austrian privacy activist, filed a lawsuit against Facebook for breaching his privacy rights, instigating a decade-long debate over the legality of moving EU data to the US.
Washington does not do enough to protect the information of Europeans, according to the European Court of Justice (ECJ).
A data transfer agreement between the EU and the US was declared invalid by the ECJ in 2020.
As long as the transfer of data ensures an “adequate level of data protection”, the ECJ said companies can use SCCs.
The test Meta has failed.
Despite the €1.2bn fine, Mr Schrems said that it could have been higher after 10 years of litigation.
He added that Meta will have to fundamentally restructure its systems if US surveillance laws do not change.
Experts believe Meta’s privacy practices will not change despite the record-breaking fine.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, said that a billion-euro parking ticket doesn’t matter to a company that earns many more billions through illegal parking.
To assure the EU that American intelligence agencies would follow new rules governing data access, the US updated its internal legal protections.
The EU’s privacy standard was similarly flouted by Amazon in 2021.
WhatsApp, another Meta-owned business, was also fined by Ireland’s Data Protection Commission for not complying with strict data transparency regulations.
Stay With Us: Lets Guru