Meta, the owner of Facebook, has recently been hit with a substantial €1.2 billion fine for GDPR violations. The fine is in relation to the transfer of data on European citizens to the US from Meta’s headquarters in Ireland. According to the Irish Data Protection Commission (DPC), which delivered the decision, Facebook was found to have breached GDPR by sharing data “on the basis of standard contractual clauses (SCCs) since 16 July 2020.” This implies that, according to GDPR, data belonging to European Facebook users was unlawfully processed and stored in the US.
This is the largest GDPR-related fine on record, and Meta has also been given six months to bring its data transfers into compliance with data privacy regulations. The DPC noted that although Meta Ireland implemented transfers on the basis of updated SCCs introduced by the European Commission in 2021, these changes “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU (Court of Justice of the European Union) in its judgment.”
Andrea Jelinek, EDPB Chair, emphasized the gravity of the situation, stating, “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.” She went on to say, “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
At the crux of the issue is concern surrounding US surveillance laws and how they may encroach upon the data privacy of EU citizens. This legal battle has been simmering for several years, with the European Court determining in 2020 that EU data may not be safe if transferred to the US due to American surveillance activities. Facebook has fiercely objected to this conclusion.
Nick Clegg, President of Global Affairs at Facebook, issued a statement expressing disappointment in the ruling and outlining the company’s position. He listed the invalidation of Privacy Shield by the CJEU in 2020 as a significant event that caused widespread “regulatory and legal uncertainty” for Meta and thousands of other organizations. Meta relied on SCCs as an alternative legal mechanism, believing them to be compliant with GDPR.
Clegg explained that Meta is appealing the decision and will be seeking an immediate stay with the courts, given the potential harm caused by the judgment, including to the millions of people who use Facebook daily. Facebook has assured users that there will be no direct disruption to its services in the EU. However, considering the ongoing appeal, this saga is far from over. Stay informed on the latest developments by following news updates in the telecommunications field.