Meta Platforms Gets $1.2 Billion GDPR Fine for Transatlantic Data Transfers

Almost 5 years to the day after the General Data Protection Regulation *(GDPR) was signed into law, Meta Platforms has been fined €1.2 billion by the Irish Data Protection Commission (DPC) for violating Article 46(1) of the GDPR by transferring the personal data of Facebook users from the EU to servers in the United States.  The fine does not apply to data transfers from other Meta companies, such as WhatsApp and Instagram.

Article 46(1) of the GDPR prohibits transfers of personal data to countries or international organizations that do not have appropriate safeguards to prevent the interception of personal data, and if those transfers take place they must include safety and legal remediation mechanisms. The problem with transatlantic data transfers to the US is the protections for the data vary from state to state. Data transfers from the EU to the US had previously been conducted under the 2016 EU-US Privacy Shield, under which data transfers and US-based data storage were permitted if companies were on the Privacy Shield list. However, in June 2020, the Court of Justice of the European Union (CJEU) ruled that data transfers under the EU-US Privacy Shield were illegal, and stricter privacy protections were required. Meta Platforms subsequently conducted data transfers on the basis of updated Standard Contractual Clauses (SCCs), that were adopted by the European Commission in 2021; however, SCCs were found not adequately address risks to the fundamental rights and freedoms of data subjects, and they were also prohibited by the CJEU. The problem with SCCs is they do not prevent a company from complying with US law, such as directives from the NSA, which means user data could be accessed by the intelligence agencies in the US.

Meta Platforms was made aware that data transfers based on SCCs were not legal yet continued to conduct data transfers using SCCs. The DPC did not support a financial penalty for Meta Platforms; however, the European Data Protection Board (EDPB) overruled the DPC decision after data protection authorities in other EU countries objected to the lack of a financial penalty. After receiving the binding decision of the EDPB, which suggested a fine of between 20% and 100% of the maximum possible fine due to the seriousness of the violation, the DPC imposed a financial penalty of $1.2 billion, the largest GDPR fine issued to date by any Data Protection Authority to resolve a GDPR violation.

Meta Platforms has been told to cease transferring user data from the EU to the US but has been given until November 12, 2023, to comply, and transfer the data back or ensure it is deleted. Meta Platforms is expected to appeal the decision and delay compliance, and responded to the decision by saying it has been relying on SCCs for cross-border data transfers like thousands of other companies, and pointed out that the CJEU had previously accepted that SCCs are valid. As such, Meta considers the fine to be unfair, unnecessary, and disproportionate, stating that this is not about the actions of one company but many, and said there is a fundamental conflict of law between the US government rules on access to data and European privacy rights.

Policymakers are expected to resolve the issue in the summer with the forthcoming Data Privacy Framework (DPF). If that framework is approved, Facebook would not be required to cease transferring data. If the framework is not agreed Meta Platforms will be required to fundamentally restructure its systems to continue to provide the Facebook service to EU citizens.

Author: NetSec Editor