Meta has been hit with a record 1.2 billion euro (US$1.3 billon) fine by the European Union following an investigation into Facebook’s transfers of personal data since July 2020.
In addition, Meta has been ordered to stop the unlawful processing and transfer of the personal data of European residents to the U.S. by October.
The fine stems from an inquiry by the Irish Data Protection Commission (DPC) acting on behalf of the European Data Protection Board (EDPB). As the Associated Press notes, it’s part of a battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations of electronic surveillance by U.S. security agencies. That included the disclosure that Facebook gave the agencies access to the personal data of Europeans.
For various legal reasons, the decision on the fine had to be settled by the EDPB, which then ordered the Irish data commission to set the total within certain parameters.
When the fine was announced, chair Andrea Jelinek said the EDPB found that Meta Ireland’s infringement “is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
In response, Nick Clegg, Meta’s president of global affairs and Jennifer Newstead, the company’s chief legal officer, issued this statement: “Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board. We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.”
In 2020, the Meta statement notes, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, an agreement between the EU and the U.S. for the transfer of personal data of European residents to the U.S.. The CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. After that, Meta, and other businesses, believed SCCs to be compliant with the GDPR. However, the Irish privacy commission found SCCs did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
The AP story notes that Brussels and Washington signed a deal last year on a reworked Privacy Shield that Meta could use, but the pact is awaiting a decision from European officials on whether it adequately protects data privacy.
In an email, Toronto privacy lawyer Barry Sookman of the McCarthy Tetrault law firm noted that the Irish data protection authority did not agree with the fine. “The decision raises grave questions about organizations’ ability to rely on European Commission adequacy findings,” he added. “The use of standard contractual clauses was endorsed by the EU. If organizations cannot rely on adequacy findings or processes, there is something extremely problematic with the EU process. It appears that the European Union processes are unreliable and cannot be relied on. This decision is desperately in need of review.”