In a recent development, Meta was fined a record 1.2 billion euros ($1.3 billion) by the Irish Data Protection Commission for breaching the European Union’s tough rules on data privacy, known as the General Data Protection Regulation (GDPR). In addition to the fine, the Irish Data Protection Commission ordered Meta to suspend all transfers of personal data belonging to users in the European Union (EU) and the European Economic Area, which includes the non-EU countries Iceland, Liechtenstein and Norway to the United States within five months. Meta has also been given six months to stop “the unlawful processing, including storage, in the US” of personal EU data already transferred across the Atlantic, meaning that user data will need to be removed from Facebook servers.
The Irish Data Protection Commission’s decision comes after a lengthy investigation into Meta’s data practices, specifically regarding the company’s handling of user data and its compliance with the GDPR. The ruling does not affect data transfers at Meta’s other main platforms, Instagram and WhatsApp. Meta said it would appeal against the decision and seek a stay on the data transfer order. Helen Dixon, the Data Protection Commissioner for Ireland which is the main regulator for Meta and several other big US tech companies said the ruling was based on the existing EU-US data transfers framework in place.
GDPR, which came into effect in May 2018, restricts what companies are able to do with people’s personal data. Since it came into effect, EU privacy regulators have hit major US tech companies with very large fines, including an $887 million on Amazon in Luxembourg and a $267 million fine on WhatsApp in Ireland. Meta’s fine is the largest to date. These large fines shed light on the long-standing political and legal struggle to reconcile American laws on consumer data with European laws, which are more protective of online privacy and security.
After the 2020 Court of Justice of the EU ruling that the Privacy Shield agreement did not adequately uphold EU privacy law, many companies had to reconsider how they store, and collect the data of European customers. Companies, such as Meta, thought they could continue transferring data across borders legally through an alternative legal mechanism called Standard Contractual Clauses (SCCs). This landmark Meta fine sends a clear message to companies that rely on SCCs that they are violating GDPR.
The EU and US have been working on an EU-US data privacy framework, but it still needs final approval in the EU. European Commission spokesperson Christian Wigand, “This would provide the stability and legal certainty that companies look for, while ensuring strong protections for the privacy of individuals.” Read the full article on The Washington Post.
Disclosure: Fatty Fish is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
The Fatty Fish Editorial Team includes a diverse group of industry analysts, researchers, and advisors who spend most of their days diving into the most important topics impacting the future of the technology sector. Our team focuses on the potential impact of tech-related IP policy, legislation, regulation, and litigation, along with critical global and geostrategic trends — and delivers content that makes it easier for journalists, lobbyists, and policy makers to understand these issues.
- The Fatty Fish Editorial Teamhttps://fattyfish.org/author/fattyfish_editorial/
- The Fatty Fish Editorial Teamhttps://fattyfish.org/author/fattyfish_editorial/
- The Fatty Fish Editorial Teamhttps://fattyfish.org/author/fattyfish_editorial/
- The Fatty Fish Editorial Teamhttps://fattyfish.org/author/fattyfish_editorial/
