€ 1.2 Billion GDPR Fine Against Meta for Personal Data Transfers to the US

How to prevent a penalty based on GDPR laws for my business?


Meta, Facebook’s parent company, has been issued a record-breaking fine of 1.2 billion euros, the largest ever imposed under the General Data Protection Regulation (GDPR), by the Irish authorities. The scale of the fine, which could have even extended to over 4 billion euros, highlights the severity of the violations committed by Meta in their handling of user data. This fine has propelled the sum total of Meta's GDPR fines to 2.5 billion euros, accounting for 6 out of the top 10 largest GDPR fines. Moreover, Irish authorities have issued an injunction to halt and reverse personal data transfers from the EU to the United States. About ten years after Max Schrems’ initial complaint to Irish authorities, this fine is a significant step in holding the tech giant accountable and ensuring GDPR compliance. In business-to-business (B2B) operations, the need for technical and organizational measures (TOMs) pertaining to data transfers to countries outside of Europe keeps growing. Data privacy activist Max Schrems points out that the enforcement of these measures could affect any cloud provider based in the United States. Indeed, further related activity by EU authorities seems likely until a new EU-US data transfer framework is established.


What happened so far?

Meta was fined because the transfer of personal data to the United States violates the General Data Protection Regulation (GDPR), specifically the Schrems II ruling. The decision to fine Meta resulted from the fact that US surveillance laws and practices are considered incompatible with the GDPR’s strict privacy standards as specified by the European Court of Justice’s (ECJ) Schrems and Schrems II rulings. It is important to note that the fine does not pertain to the past ten years or even to the date the GDPR came into effect, but only to violations committed since the Schrems II decision on July 16, 2020, which could potentially explain the relatively “small” amount of 1.2 billion euros. The fine was prompted by complaints and lawsuits filed by Max Schrems, a prominent data privacy activist. The European Data Protection Board (EDPB), a newly established body for coordinating GDPR measures among national authorities, played an essential role in enforcing the action against Meta. The fine underscores the importance of safeguarding personal data and upholding data privacy rights in the digital age.


What is the EDPB’s decision?

The EDPB's binding decision 1/2023 forced the hand of the Irish authorities. The Irish Supervisory Authority (IE SA) had decided not to fine Meta or order the company to stop data transfers. The EDPB overruled the Irish decision and forced the IE SA to take action: firstly, Meta had to be be fined for breaking GDPR rules based on EDPB guidelines. Secondly, Meta would have to stop unlawfully transferring and storing user data from the European Economic Area (EEA) within the United States, and thirdly, Meta would have to comply within six months after receiving the IE SA's decision.


Why was the fine set at 1.2 billion euros?

The 1.2 billion euro fine was calculated based on several factors determined by the European Data Protection Board (EDPB). These include the severity of the violation, the large amount of personal data involved, and the significant number of people affected. The extensive duration of the infringement, which is still ongoing, was also taken into account. The EDPB found that Meta IE (Facebook's parent company) had been acting at the highest level of negligence and carried great responsibility. The security breaches affected various categories of personal data, including sensitive information. Additionally, the EDPB established that Meta's service relied on international data transfer.


What does it mean for my business? How to respond?

To respond effectively to the ongoing situation, the following steps are generally recommended:

1. Understand the topic: start by thoroughly educating yourself on the relevant subject matter. Read the appropriate literature, such as whitepapers, official documents and expert analyses, to gain a comprehensive understanding of the implications and requirements.

2. Seek legal guidance: consult with legal experts or data protection officers specializing in GDPR to ensure your actions align with the expectations declared by regulatory authorities, and to obtain professional advice tailored to your organization's specific needs.

3. Review data transfers: examine all personal data transfers within your organization, especially those involving the personal data of EU citizens. Identify which transfers involve US-based clouds and determine their GDPR compliance.

4. Assess the risks: re-evaluate the potential risks associated with data transfers to US cloud providers, taking the recent enforcement measures and fines under consideration. Analyze the likelihood of non-compliance and the potential impact on your business.

5. Address risks: develop a strategy to mitigate risks and to ensure GDPR compliance. This may involve reducing the reliance on US cloud providers, exploring alternative cloud services within the EU and implementing additional safeguards for data transfers. A multi-cloud approach could also be considered. Very sensitive data and its processing would be located with a European cloud provider and other applications would remain with one of the global providers.

6. Introduce changes: implement the necessary changes to align with GDPR requirements and to reduce exposure to potential fines. This might include modifying data processing practices, updating contracts with cloud providers or adopting privacy-enhancing technology.

7. Monitor and adapt: the ongoing EU-US data transfer issues can only be solved by a change in data processing or US surveillance laws. To avoid risks, it is therefore recommended to continuously monitor the evolving regulatory landscape and adjust data management practices accordingly. Stay informed about any updates or changes to GDPR guidelines in order to continuously ensure compliance.


Is this the end of personal data transfers between the EU and the US?

The recent developments do not necessarily mean the end of personal data transfers between the EU and the US. While Meta has hinted at the possibility of discontinuing Facebook services in Europe, they will more likely appeal the decision to buy time until a new EU-US data transfer framework, scheduled for 2023, is in effect. Meta has stated that it will not stop Facebook services altogether. However, it is important to note that the situation may not continue indefinitely, as future legal decisions like ECJ’s "Schrems III" could again impact data transfers between the EU and the US. Consequently, there is an ongoing risk which could lead to a reduction in data transfers and an increased focus on implementing measures to protect these transfers, particularly in the B2B sector. Implications for data transfers with non-EEA countries beyond the US are also likely.



List of abbreviations

  • GDPR – General Data Protection Regulation
  • EDPBEuropean Data Protection Board
  • B2B – Business to Business
  • TOMs – Technical und organizational measures
  • ECJ – European Court of Justice
  • EDPS – European Data Protection Supervisor
  • IE SA – Irish Supervisory Authority
  • EEA – European Economic Area

Related content

whitepaper

CLOUD Act, GDPR, and the Swiss DSG and Bank Act

It may soon be impossible to accept the risks of using US cloud providers to process personal data. This whitepaper deals with data sovereignty when US law with FISA, ECPA, and CLOUD Act increases conflict with European Law, particularly the GDPR, the SCHREMS II decision, and the Swiss DSG. Further challenges are likely to arise from BREXIT and new judgments of the European Court of Justice (ECJ).

blog

GDPR Updates You Can't Ignore: The New Standard Contractual Clauses in Detail

Tick-tock... did you hear that? That was the sound of a deadline passing. On December 27, 2022, the EU's GDPR standard contractual clauses (SCC) became officially binding - a call to arms for businesses around the globe. Surprisingly, numerous companies, from small startups to large corporations, are yet to embrace these changes. Could this be you?

blog

Almost 30 years of challenges with US data protection

The nearly 30 years since the first EU Data Protection Directive (95/46/EC) was published in 1995, have been characterized by challenges around data transfer to the US. It will soon be 3 years since the ECJ invalidated the second agreement on the transfer of personal data from the EU to the US due to glaring shortcomings, and it will soon be a year since the EU and the US settled on a new agreement "in principle".

blog

GAIA-X: On the way to digital emancipation

Expo & Congress

it-sa 2023

Come visit our security experts team at the A1 Digital booth on it-sa Expo & Congress 2023, Europe's leading trade fair for IT security!

event

KVD Service Congress 2024

The KVD Service Congress is the highlight event for specialists and executives from technical customer service and support.

blog

IoT Protocols: A comprehensive guide for enterprises

The Internet of Things (IoT) connects physical devices and enables data exchange over the Internet, and IoT protocols are responsible for the communication and data transfer between devices. As organizations need to understand the different technologies in order to choose the right solutions for their needs, our blog post is available to guide you through the main protocols and their IoT applications.

blog

11 IoT examples across different industries

From machine monitoring to automating entire supply chains – the Internet of Things (IoT) is already being used in numerous business areas and everyday life. In the following article, we look at the well-known and less common IoT examples.

blog

LPWAN for IoT: A guide to what companies should know

A1 Digital informs you about LPWAN: ✓ Definition ✓ Technologies ✓ Advantages ✓ Use cases

blog

What is LTE-M: A comprehensive guide for enterprises

Developed specifically for the Internet of Things (IoT), LTE-M is becoming more important as companies increasingly rely on IoT solutions. This mobile technology enables efficient and reliable communication between devices, which is essential for many business processes.