Meta, formerly known as Facebook, was fined an extraordinary $1.3 billion for data transfers to the United States. This record-breaking penalty emphasises the gravity of the circumstance and emphasises the significance of the company’s breach. The fine sends a strong message about the repercussions of data misuse and emphasises the growing need of protecting user information in international data transfers.
This record-breaking fine is unprecedented in its scale, and it is accompanied by a mandate prohibiting data transfers to the United States. This legal action can be traced back to 2013 when disclosures about pervasive surveillance practices by the US government surfaced.
Let’s Walk through the Timeline!
Previously, Facebook participated in data transfers between European countries and the United States under the EU-US Privacy Shield, a structure established by the GDPR in 2016. This arrangement allowed European data to be stored with US companies that are part of the Privacy Shield.
However, following the “Schrems II” case in July 2020, the landscape of foreign data transfers underwent substantial changes. The European Union’s Court of Justice (CJEU) determined that any transfers of personal data based on the Privacy Shield Decision were illegal, mandating the implementation of tougher data control measures.
The Irish Data Protection Commission (DPC) initiated an investigation into Meta’s (previously Facebook) data transfer practices in August 2020. The DPC published a preliminary ruling in July 2022, finding that the tech giant violated Article 46(1) of the GDPR.
On April 13, 2023, the European Data Protection Board (EDPB) issued a binding ruling instructing the Irish DPC to punish Meta and require the firm to comply with the GDPR regulations.
The Irish DPC issued a $1.3 billion administrative fine on Meta on 22nd May 2023, in accordance with the EDPB’s judgement. The fine was calculated using the EDPB’s guidelines, which prescribe penalties ranging from 20% to 100% of the maximum applicable fine, depending on the gravity of the offence.
How did we reach here?
The events that led to the current crisis may be traced back to 2013, when whistleblower Edward Snowden revealed the US government’s massive surveillance programmes, including the collecting of user data from social media platforms through PRISM. This revelation sparked worries about personal data protection under European law because US legislation prioritised national security and provided intelligence services with vast monitoring capabilities.
Max Schrems, an Austrian privacy activist, has filed charges against many internet giants, including Apple and Facebook, for alleged collaboration with data-gathering programmes run by US intelligence agencies. In 2013, Ireland’s data protection regulator dismissed Apple and Facebook’s concerns, noting their participation in the EU-US data adequacy agreement known as Safe Harbour, which was in operation at the time. The authority claimed that Safe Harbour answered any worries about spying.
Schrems filed an appeal with the Irish High Court, which sent the case to the European Union’s Court of Justice (CJEU). The CJEU rejected the Safe Harbour framework in October 2015, stating that it did not assure essential comparability between EU and US data protection requirements. This decision, known as Schrems I, necessitated the creation of a new data transfer agreement.
The EU-US Privacy Shield, which replaced Safe Harbour, was swiftly negotiated and adopted by US and EU parliamentarians in July 2016. However, Schrems continued to express concerns about its efficacy, calling it “lipstick on a pig.” Finally, the CJEU invalidated the Privacy Shield in July 2020, highlighting the necessity of transparency.
Schrems’ case against Facebook focused on the usage of Standard Contractual Clauses (SCCs), a different data transfer mechanism. The Irish Data Protection Commission (DPC) chose to dispute the legality of SCCs in court, raising concerns about their overall security. This action resulted in a new referral to the CJEU in April 2018, calling the Privacy Shield’s legitimacy into doubt once more. The CJEU’s subsequent judgement, known as Schrems II, exposed both the Privacy Shield and SCCs by emphasising the obligation of EU data protection authorities to ensure proper data protection when transferring data to third countries.
Although SCCs were not declared illegal, the CJEU emphasised the importance of enforcing and scrutinising them when used for data transfers to hazardous nations. Given the CJEU’s concerns about US monitoring practices, it was clear that Facebook judged the US to be a dangerous destination for data transfers.
Because Facebook’s economic model is primarily reliant on user data access, this circumstance presents a unique challenge. To deliver tailored behavioral adverts, the firm tracks and profiles web visitors. As a result, Facebook was unable to install extra protections, such as end-to-end encryption, to improve the security of data sent to the US by European users.
As a result of the invalidation of US data adequacy and the attention exerted by the CJEU on the alternative mechanism Facebook relied on, the issue became difficult for Ireland to ignore. The Irish Data Protection Commission (DPC) issued a preliminary decision in September 2020 to suspend data transmissions to Facebook’s parent company, Meta. This triggered a series of legal disputes as Meta received a stay of execution and attempted to contest it in court. However, the matter became more complicated when the Irish regulator opted to initiate a fresh procedure while suspending ‘Max Schrems’ long-standing complaint, raising concerns about further delays. Schrems sought a judicial review of the DPC’s procedures, which resulted in the DPC promising to expedite the resolution of his case in January 2021.
The Irish courts lifted the hold on the DPC’s decision-making process in May of the same year, allowing the DPC to proceed. As a result, Ireland had no more justifications to postpone the resolution of Schrems’ complaint. The case then went through the regular GDPR enforcement process, with the DPC investigating for nearly a year and issuing a revised preliminary ruling in February 2022. This judgement was later examined by various EU Data Protection Authorities, which resulted in challenges being filed by August 2022. In the lack of authority agreement, the European Data Protection Board (EDPB) issued a binding ruling in April 2023.
As a result, the Irish regulator was given a one-month deadline to issue a final conclusion that would apply the EDPB’s binding ruling. We will not see true change unless users desire fair remuneration. Because the authorities are not now actively enforcing the GDPR, consumer rights organisations and users must take action. As a result, we encourage all Facebook users in the Netherlands to file claims for potential damages. Furthermore, the EU’s Collective Redress Directive must be implemented this summer, allowing European users to file collective actions for GDPR violations for the first time.
Also read the Tsaaro’s Report on Privacy Fines 2022 that highlights industry-wise and country-wise analysis in-depth, the countries on the data privacy fines in 2022, the most violated provisions of GDPR, etc. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market. Get in touch with us at firstname.lastname@example.org .