Meta gets record €1.2bn GDPR fine as Irish regulator overruled

Meta has been hit with a record €1.2bn fine under the GDPR for breaking rules when transferring Facebook data from the EU to the US. The tech giant has also been ordered to stop transferring the data. Meta said it would appeal the decision and stressed there would be no immediate disruption to Facebook’s service in the EU. The fine was handed out after the European Data Protection Board (EDPB) had to step in to resolve differences between Meta’s main regulator in Ireland, where the company is headquartered in Europe, and other data protection authorities across the continent over the size and scope of penalties. “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences,” said Andrea Jelinek, EDPB chair. The Irish Data Protection Commission (DPC) previously found that Facebook’s Meta broke GDPR rules by continuing to transfer personal data from the EU/EEA to the US after a landmark CJEU ruling ruled against the practice. The DPC prepared a draft decision last July that found the data transfers via standard contractual clauses were being carried out in breach of the GDPR and should be suspended. But the DPC didn’t plan to hand out any fine to Meta. However, all GDPR decisions have to be approved by other regulators, also known as Concerned Supervisory Authorities (CSAs), across Europe. And although all the CSA’s agreed with the DPC that the data transfers should be stopped, four of the 47 also wanted to hit Meta with a fine. The DPC disagreed and so the case was referred to the EPDB to make the final decision. The top European data regulator has clearly sided against the Irish DPC, which has now handed out the largest ever GDPR fine to date. “The EDPB instructed the IE DPA to amend its draft decision and to impose a fine on Meta IE. Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum,” said the EDPB. The DPC actually set the size of the fine based on the assessments and determinations included in the EDPB’s decision. The DPC has made clear that it still disagrees with fining Meta. The EDPB also instructed the Irish DPC to order Meta to bring processing operations into compliance with the GDPR within six months. And the Irish regulator’s initial ruling that Meta must stop transferring personal data to the US within five months also still stands. Meta is unhappy with the decision. Its president of global affairs Nick Clegg and chief legal officer Jennifer Newstead said: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.” They said Meta will appeal the decision and seek to pause the ruling’s implementation periods. Max Schrems, the privacy activist behind the original 2013 complaint supporting the case, said: “We are happy to see this decision after ten years of litigation... Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.” Ireland’s DPC has been criticised for light touch GDPR regulation of the many tech giants that have set up their European headquarters in the country. Just recently, the Irish Council for Civil Liberties (ICCL) published stats showing that the DPC has been overruled in 75% of its GDPR investigation decisions by European counterparts seeking tougher enforcement. France is the only other lead authority to have been overruled, and this was in a single case. Publishing statistics as the GDPR approaches its five-year anniversary, the ICCL called on the EC to “take serious action” to properly enforce the regulation. It argued that the GDPR “remains largely paralysed” in action against big technology firms. “The EU cannot be a regulatory superpower unless it enforces its own laws. The European Commission has the tools and legal responsibility to tackle this enforcement crisis... The ultimate responsibility for this crisis rests with the European Commissioner for Justice, Didier Reynders. We urge him to take serious action,” the ICCL said. It acknowledged that the EC is working to improve cooperation between data protection authorities across Europe but said “much, much more is required to fix GDPR enforcement”. These comments were made before the record €1.2bn Meta fine that will perhaps help appease the ICCL and serve as warning to all companies that GDPR enforcement is getting stronger.

Meta gets record €1.2bn GDPR fine as Irish regulator overruled

Want to read this article?

Read Next

Marsh tracks slowdown in global Q1 rate hikes

Markel names head of terrorism in London

Insurers defend Nord Stream’s €400m lawsuit as act of war

Allstate posts nat cat loss of $343m for March

UAE flash flood losses manageable as insurers adapt to changing weather

Marsh tracks slowdown in global Q1 rate hikes

Markel names head of terrorism in London

Insurers defend Nord Stream’s €400m lawsuit as act of war

Allstate posts nat cat loss of $343m for March

UAE flash flood losses manageable as insurers adapt to changing weather

Want to read this article?

Read Next

Marsh tracks slowdown in global Q1 rate hikes

Markel names head of terrorism in London

Insurers defend Nord Stream’s €400m lawsuit as act of war

Allstate posts nat cat loss of $343m for March

UAE flash flood losses manageable as insurers adapt to changing weather

Related Articles