Meta hit by record €1.2 billion GDPR fine: SaaS providers need to wake up to EU-US data transfer risk
It’s a bombshell fine and a boat-rocking one, born of a complex dispute but also one with simple roots...
You may, by now, have read the headlines: The record Meta GDPR fine of €1.2 billion from Ireland’s Data Commissioner. The fact that the Facebook, Instagram, and WhatsApp owner has been ordered to suspend transfers of user data to the US within five months. Meta’s lament that it has been “singled out...”
It’s a bombshell fine and a boat-rocking one, born of a complex dispute but also one with simple roots, which go back to the revelations by former National Security Agency (NSA) contractor Edward Snowden that US intelligence agencies were hoovering up unfathomable quantities of detailed data on internet users – and that those affected by this in Europe were not afforded some of the protections that US citizens are.
Other companies transferring European user data to the US need to sit up and pay attention.
Record Meta GDPR fine: Death to SCCs?
The most disruptive element of the decision, as data consultancy Castlebridge’s Daragh O Brien puts it succinctly “is the long-heralded suspension of transfers to the US under Standard Contractual Clauses (SCCs).”
These had replaced the transatlantic ‘Privacy Shield’, created to allow secure data transfers between the EU and US, but shot down after the Court of Justice of the European Union on 16 July 2020,declared it invalid in the Schrems II case. SCCs were adopted by the European Commission in 2021 as a temporary replacement.
A new “Transatlantic Data Agreement (TADA) TADA Adequacy decision has not been finalised.
It may not exist in time for Meta to switch to it as an alternative basis.
See also: Digital sovereignty and data: What are the challenges we face?
“Whatever the detail of the Meta/Facebook decision [it] will have implications for other transfers of personal data to the United States by other cloud platforms (think Office365, Google Workspace, Twitter, and potentially OpenAI etc” O’Brien said. “[They will need to] review the… decision for the details of the issues which triggered the suspension of processing on the basis of SCCs. It will be important to understand the actual fact pattern and what the gaps were that need to be addressed in other uses of SCCs for transfers outside the EU/EEA.”
Meta’s changes to data protection “fail to remedy the particular gaps or deficiencies in US law, as identified by the CJEU in the [2020] Judgment. In particular, and by way of example, I note that they do not address the finding at paragraph 180 of the Judgment that Section 702 FISA does not indicate any limitations on the power it confers to implement surveillance programmes. Nor do they address (much less remedy) the fact that data subjects do not have the possibility of bringing a legal action in the United States before an independent and and impartial court, in violation of Article 47 of the [GDPR] Charter” Ireland’s DPC said.
The Computer & Communications Industry Association (CCIA) warned of deeper industry confusion in the wake of the record Meta GDPR fine. The non-profit said: ““Since an EU Court invalidated the previous EU-US data framework… companies of all sizes have been left without clear guidelines for transatlantic data transfers. To this day, that uncertainty continues to affect not only companies, but also non-profits, charities, governments, and others. Data flows between the EU and US make up the busiest internet route in the world, and are vital to transatlantic trade. Yet, today’s decision to suspend data transfers from the EU to the US ignores that reality.”
Meta’s President of Global Affairs Nick Clegg said: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
Under GDPR there is provision for “necessary transfers”, but these are under Article 49 of GDPR and the Europe DatEDPB guidance is clear that this is for emergency and occasional use only. As O’Brien notes: “Fundamental question that will need to be addressed by Meta as part of their response to this decision is whether they have the underlying data structures to segregate data and prevent EU data being transferred to the US. They probably don’t, because that’s not the kind of thing you think about when you are moving fast and breaking things. This will have an impact on whether Meta can actually comply with the decision to suspend transfers. Which makes the horserace between the decision and the TADA Adequacy Decision all the more pressing.”