The Irish Data Protection Commission (DPC) has imposed a record-breaking fine of €1,200,000 on Meta, Facebook’s parent company, for GDPR (General Data Protection Regulations) violations.
The violation concerns Facebook’s practice of transferring the data of EU-based users on US-based servers, hosting that data indefinitely, and processing it without restrictions, very likely also sharing it with other entities.
According to the results of an almost three-year-long inquiry of the DPC into the social media platform’s data transfer practices, it was determined that the company violated Article 46(1) of the GDPR. The particular article concerns transfers of personal data to “third countries” and the need for those to provide appropriate safeguards and effective legal remedies to the data subjects.
However, the U.S. does not have a comprehensive data protection regulation that can be considered the equivalent of the GDPR in the country. On the contrary, each state follows a different legal approach, setting its own requirements and restrictions. Hence, the DPC considers transferring user data to the U.S. risky and violates the GDPR.
The administrative fine of €1.2 billion ($1.3 billion) is a record-breaking figure, almost double the previous record that was Amazon’s €746 million fine imposed by Luxembourg’s data protection regulator. The fine is so hefty that it contradicts the widespread view that data protection legislation is toothless and penalties are too small to have any effect or e real change in how businesses manage user data.
Apart from the fine, the Irish DPC also orders Facebook to stop all violating data transfer actions in the next five months and delete the data of EU citizens it unlawfully held on U.S. servers by November 2023.
Facebook to Appeal
In a post responding to the €1.2 billion fine imposed by the EU, Facebook makes it clear that it intends to appeal the decision, arguing that the administrative fine and the associated data transfer restrictions are unjust and detrimental to their European operations.
Facebook underlines that they acted in good faith by using Standard Contractual Clauses (SCCs) – a legal tool deemed reliable by European courts of law, and which the social media giant assumed was compliant with GDPR. The same mechanism is used by many organizations to perform transatlantic data transfers without ever raising objections from EU data protection authorities.
The tech company argues that the crux of the problem isn’t individual privacy practices but rather the overarching discord between U.S. data access regulations and the European emphasis on privacy rights. The impending implementation of the Data Privacy Framework (DPF) is predicted to address these divergences, regulating cross-border data transfers while ensuring the requisite protections are upheld within the U.S. context.