Contact

€ 1.2 Billion GDPR Fine Against Meta for Personal Data Transfers to the US

How to prevent a penalty based on GDPR laws for my business?


Meta, Facebook’s parent company, has been issued a record-breaking fine of 1.2 billion euros, the largest ever imposed under the General Data Protection Regulation (GDPR), by the Irish authorities. The scale of the fine, which could have even extended to over 4 billion euros, highlights the severity of the violations committed by Meta in their handling of user data. This fine has propelled the sum total of Meta's GDPR fines to 2.5 billion euros, accounting for 6 out of the top 10 largest GDPR fines. Moreover, Irish authorities have issued an injunction to halt and reverse personal data transfers from the EU to the United States. About ten years after Max Schrems’ initial complaint to Irish authorities, this fine is a significant step in holding the tech giant accountable and ensuring GDPR compliance. In business-to-business (B2B) operations, the need for technical and organizational measures (TOMs) pertaining to data transfers to countries outside of Europe keeps growing. Data privacy activist Max Schrems points out that the enforcement of these measures could affect any cloud provider based in the United States. Indeed, further related activity by EU authorities seems likely until a new EU-US data transfer framework is established.


What happened so far?

Meta was fined because the transfer of personal data to the United States violates the General Data Protection Regulation (GDPR), specifically the Schrems II ruling. The decision to fine Meta resulted from the fact that US surveillance laws and practices are considered incompatible with the GDPR’s strict privacy standards as specified by the European Court of Justice’s (ECJ) Schrems and Schrems II rulings. It is important to note that the fine does not pertain to the past ten years or even to the date the GDPR came into effect, but only to violations committed since the Schrems II decision on July 16, 2020, which could potentially explain the relatively “small” amount of 1.2 billion euros. The fine was prompted by complaints and lawsuits filed by Max Schrems, a prominent data privacy activist. The European Data Protection Board (EDPB), a newly established body for coordinating GDPR measures among national authorities, played an essential role in enforcing the action against Meta. The fine underscores the importance of safeguarding personal data and upholding data privacy rights in the digital age.


What is the EDPB’s decision?

The EDPB's binding decision 1/2023 forced the hand of the Irish authorities. The Irish Supervisory Authority (IE SA) had decided not to fine Meta or order the company to stop data transfers. The EDPB overruled the Irish decision and forced the IE SA to take action: firstly, Meta had to be be fined for breaking GDPR rules based on EDPB guidelines. Secondly, Meta would have to stop unlawfully transferring and storing user data from the European Economic Area (EEA) within the United States, and thirdly, Meta would have to comply within six months after receiving the IE SA's decision.


Why was the fine set at 1.2 billion euros?

The 1.2 billion euro fine was calculated based on several factors determined by the European Data Protection Board (EDPB). These include the severity of the violation, the large amount of personal data involved, and the significant number of people affected. The extensive duration of the infringement, which is still ongoing, was also taken into account. The EDPB found that Meta IE (Facebook's parent company) had been acting at the highest level of negligence and carried great responsibility. The security breaches affected various categories of personal data, including sensitive information. Additionally, the EDPB established that Meta's service relied on international data transfer.


What does it mean for my business? How to respond?

To respond effectively to the ongoing situation, the following steps are generally recommended:

1. Understand the topic: start by thoroughly educating yourself on the relevant subject matter. Read the appropriate literature, such as whitepapers, official documents and expert analyses, to gain a comprehensive understanding of the implications and requirements.

2. Seek legal guidance: consult with legal experts or data protection officers specializing in GDPR to ensure your actions align with the expectations declared by regulatory authorities, and to obtain professional advice tailored to your organization's specific needs.

3. Review data transfers: examine all personal data transfers within your organization, especially those involving the personal data of EU citizens. Identify which transfers involve US-based clouds and determine their GDPR compliance.

4. Assess the risks: re-evaluate the potential risks associated with data transfers to US cloud providers, taking the recent enforcement measures and fines under consideration. Analyze the likelihood of non-compliance and the potential impact on your business.

5. Address risks: develop a strategy to mitigate risks and to ensure GDPR compliance. This may involve reducing the reliance on US cloud providers, exploring alternative cloud services within the EU and implementing additional safeguards for data transfers. A multi-cloud approach could also be considered. Very sensitive data and its processing would be located with a European cloud provider and other applications would remain with one of the global providers.

6. Introduce changes: implement the necessary changes to align with GDPR requirements and to reduce exposure to potential fines. This might include modifying data processing practices, updating contracts with cloud providers or adopting privacy-enhancing technology.

7. Monitor and adapt: the ongoing EU-US data transfer issues can only be solved by a change in data processing or US surveillance laws. To avoid risks, it is therefore recommended to continuously monitor the evolving regulatory landscape and adjust data management practices accordingly. Stay informed about any updates or changes to GDPR guidelines in order to continuously ensure compliance.


Is this the end of personal data transfers between the EU and the US?

The recent developments do not necessarily mean the end of personal data transfers between the EU and the US. While Meta has hinted at the possibility of discontinuing Facebook services in Europe, they will more likely appeal the decision to buy time until a new EU-US data transfer framework, scheduled for 2023, is in effect. Meta has stated that it will not stop Facebook services altogether. However, it is important to note that the situation may not continue indefinitely, as future legal decisions like ECJ’s "Schrems III" could again impact data transfers between the EU and the US. Consequently, there is an ongoing risk which could lead to a reduction in data transfers and an increased focus on implementing measures to protect these transfers, particularly in the B2B sector. Implications for data transfers with non-EEA countries beyond the US are also likely.



List of abbreviations

  • GDPR – General Data Protection Regulation
  • EDPBEuropean Data Protection Board
  • B2B – Business to Business
  • TOMs – Technical und organizational measures
  • ECJ – European Court of Justice
  • EDPS – European Data Protection Supervisor
  • IE SA – Irish Supervisory Authority
  • EEA – European Economic Area

Related content

whitepaper

CLOUD Act, GDPR, and the Swiss DSG and Bank Act

It may soon be impossible to accept the risks of using US cloud providers to process personal data. This whitepaper deals with data sovereignty when US law with FISA, ECPA, and CLOUD Act increases conflict with European Law, particularly the GDPR, the SCHREMS II decision, and the Swiss DSG. Further challenges are likely to arise from BREXIT and new judgments of the European Court of Justice (ECJ).
blog

GDPR Updates You Can't Ignore: The New Standard Contractual Clauses in Detail

Tick-tock... did you hear that? That was the sound of a deadline passing. On December 27, 2022, the EU's GDPR standard contractual clauses (SCC) became officially binding - a call to arms for businesses around the globe. Surprisingly, numerous companies, from small startups to large corporations, are yet to embrace these changes. Could this be you?
blog

Almost 30 years of challenges with US data protection

The nearly 30 years since the first EU Data Protection Directive (95/46/EC) was published in 1995, have been characterized by challenges around data transfer to the US. It will soon be 3 years since the ECJ invalidated the second agreement on the transfer of personal data from the EU to the US due to glaring shortcomings, and it will soon be a year since the EU and the US settled on a new agreement "in principle".
blog

GAIA-X: On the way to digital emancipation
Expo & Congress

it-sa 2023

Come visit our security experts team at the A1 Digital booth on it-sa Expo & Congress 2023, Europe's leading trade fair for IT security!
event

Uphill Conf

Explore the profound and lasting impact of artificial intelligence and machine learning at Uphill Conf.
blog

Smart tachograph 2: The new tachograph regulations are coming in 2024

Due to new tachograph regulations as part of the EU’s mobility package, trucks and commercial vehicles over 3.5 tonnes in cross-border traffic will have to be equipped with the new smart tachograph version 2 between 2024 and 2026. With the digital remote readout of your smart tachograph 2, you are able to continuously optimize tachograph compliance with legal requirements and reduce the time and costs of your fleet management at the same time.
event

InCyber Forum Europe

Europe’s leading event on digital security and trust issues.
Conference

Kubernetes Community Days UK 2024

Join us for Kubernetes Community Days UK, London's leading community-organized event for Cloud Native enthusiasts, returning in 2024. Supported by the Cloud Native Computing Foundation and organized by community leaders, this event is a hub for learning, networking, and collaboration.
Congress

IoT Solutions World Congress Barcelona 2024

We are delighted to announce our participation in the IOT Solutions World Congress, the premier global event for innovative technology solutions, from May 21-23, 2024, at the Gran Via Venue in Barcelona.