Meta has confirmed it will be appealing a €1.2 billion ($1.3 billion) GDPR fine imposed on it this week for the unlawful transfer of Europeans’ data to the US.
The Irish Data Protection Commission’s (DPC) decision was published on Monday morning and forces the company to suspend data transfers between the EU and US due to concerns over EU citizens’ data privacy.
The DPC said that current data transfer practices at Facebook “did not address the risks to the fundamental rights and freedoms of data subjects” and were in breach of the GDPR.
The ruling follows a long-running question over citizens’ data privacy and how Meta-owned Facebook conducts data transfers between the EU and US.
Data transfers were previously protected by the transatlantic ‘Privacy Shield’, which was originally created to allow secure data transfers between the EU and US, which operate in different data protection jurisdictions.
This was later invalidated after a lawsuit between Meta (then called Facebook) and Max Schrems concluded that the standard offered too much leniency to US surveillance laws.
The DPC noted that Meta used updated standard contractual clauses (SCCs) that were adopted by the European Commission in 2021 with the transfers in question, along with “additional supplementary measures”.
However, these were still deemed to have not safeguarded the rights and freedoms of European data subjects.
SOC modernization and the role of XDR
Security operations remain challenging
Ever since Privacy Shield was rendered invalid, businesses large and small have been left without clear guidance regarding cross-continent data transfers.
The EU is still yet to finalize a clear mechanism for safe and secure data transfers between it and the US, although one is expected before the end of the year.
Meta described the ruling as “unjustified and unnecessary” in a scathing response.
Nick Clegg, president for global affairs at Meta, criticized the DPC’s decision in a blog post, saying there is a “fundamental conflict of law between the US government’s rules on access to data and European privacy rights”.
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Clegg wrote alongside chief legal officer Jennifer Newstead.
The Computer & Communications Industry Association (CCIA) warned that the ruling will exacerbate confusion over current data transfer protocols for US-based firms.
“Since an EU Court invalidated the previous EU-US data framework back in 2020, European and US organizations and companies of all sizes have been left without clear guidelines for transatlantic data transfers,” the non-profit said in a statement.
“To this day, that uncertainty continues to affect not only companies, but also non-profits, charities, governments, and others. Data flows between the EU and US make up the busiest internet route in the world, and are vital to transatlantic trade. Yet, today’s decision to suspend data transfers from the EU to the US ignores that reality.”
Last year, the Biden administration signed an executive order introducing new data protection safeguards for European citizens. The CCIA said these should “pave the way for a new and strengthened EU-US data privacy framework”.
However, lawmakers on both sides of the Atlantic “still need to finalize the framework before it can come into force”.
“Today’s legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU member states. We call on the 27 EU national governments to approve the Commission’s adequacy decision without delay,” said Alexandre Roure, public policy director at CCIA Europe.
The fine issued to Meta is the largest ever handed out since the GDPR was enacted in 2018.
It also comes the day before the landmark regulation’s fifth anniversary.
The previous record GDPR fine was handed to Amazon in 2021 by Luxembourg’s data protection regulator.
The tech giant was ordered to pay €746 million ($807 million) and the details of the case were never revealed in any great detail.
At the time the fine was nearly 15 times larger than the then-current record fine issued to Google in 2019 by the French data protection regulator CNIL.
