Ireland’s Data Protection Commission (DPC) has this morning announced its final ruling on a years long investigation into Meta’s data practices in Europe, handing the social giant a €1.2 billion fine for unlawful practices which aren’t compliant with the EU’s General Data Protection Regulation (GDPR).
The ruling covers Meta’s transfers of personal data between the EU and the US. While Meta has taken steps to bring these data transfers in line with the GDPR, the DPC ruled that these steps don’t go far enough to protect EU users’ data. And after a lengthy progress the fine has been issued, along with an order to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta, and an order to cease processing of personal data which has already been illegally sent to the US within the next six months.
Meta’s president of global affairs Nick Clegg and chief legal officer Jennifer Newstead said in a joint statement that Meta will appeal what it sees as “unjustified and unnecessary fines”. The two also said Meta will seek a stay on the two deadlines imposed in the rulings, saying that the orders would cause harm to “the millions of people who use Facebook every day”.
A lengthy legal process
The DPC’s enquiry covered the period since July 16th 2020, following the European Court of Justice’s ruling on Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), a lawsuit filed by privacy campaigner Max Schrems against Facebook.
That judgement invalidated the ‘Privacy Shield’ agreement between the US and EU, which many businesses (including Meta) had used as a legal basis for sending personal data between the US and EU. It also found that while ‘Standard Contractual Clauses’ (legal mechanisms which companies can use to enable data transfers) could theoretically be used as a legal basis for data transfers, data exporters would have to be able to show that these SCCs guaranteed a high level of data protection for EU citizens’ data.
Meta, like many other companies, switched over to using SCCs as the legal basis for their data transfers, and carried on sending data between the US and EU. But after its inquiry, Ireland’s DPC ruled that these SCCs don’t provide sufficient protection. A major bone of contention is that US intelligence agencies can gain access to sensitive data when it’s deemed necessary for national security purposes, something which SCCs can’t protect against. As such, the DPC stated that Meta should have stopped sending EU citizen’s data over to the US following the Schrems II ruling, meaning all data exported to the US since that ruling has been sent over illegally.
Ireland’s DPC initially decided to order a change to Meta’s data practices, without a fine. But under GDPR, the DPC’s decision was reviewed by other data protection authorities across Europe, some of whom believed a harsher punishment was in order. When an agreement couldn’t be reached, the case was sent to the European Data Protection Board, which was given the final say. And the Board ruled that a fine is appropriate, hence today’s final judgement.
Implications beyond Meta
While the hefty fine in and of itself will be a burden to Meta, the orders to cease illegal data transfers in the coming months will also be a major worry.
Given the importance of personal data for Meta’s overall business, including for the creation and maintaining of user profiles on its social media sites and for its advertising business, an inability to send data between the US and EU could be catastrophic. The company has previously indicated that an inability to make these data transfers would threaten its ability to operate in Europe.
Meta says the DPC’s ruling stretches beyond its own business, since many other companies use SCC to send data over to the US too. “The ability for data to be transferred across borders is fundamental to how the global open internet works,” said Clegg and Newstead in their joint statement. “From finance and telecommunications to critical public services like healthcare or education, the free flow of data supports many of the services that we have come to rely on. Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day. Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
One of Meta’s main arguments for suspending the deadlines imposed by the DPC is that the US and EU are already working on a deal to replace the original Privacy Shield. If such a deal were agreed, Meta would be able to make data transfers based on this new framework, without any change to its business. Suspending the deadlines would mean Meta wouldn’t have to put in work to wind up data transfers in case a deal isn’t reached in time, only to resume them again once a deal is in place.
But it’s no guarantee that a new Privacy Shield will be agreed – and even if it is, it may well be challenged by privacy campaigners. The central conflict – between America’s practice of allowing intelligence agencies to access sensitive data, and the GDPR’s obligation that personal data must have rock solid safeguards when it’s sent overseas – is a difficult one to solve.