In a major setback, Social Media giant Meta on Monday has been fined 1.2 billion euros (or $1.3 billion) not addressing the privacy concerns by the Irish Data Protection Commission (DPC), which represents the European Union (EU) for transferring EU users' data to the US.
According to the DPC, Meta failed to "address the risk to the fundamental rights and freedoms of EU citizens in relation to the processing and the facilitation of the free flow of personal data." The DPC said the data transfers should be suspended.
The DPC's initial enquiry regarding this commenced in August 2020 and was subsequently stayed by an Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021.
"Meta Ireland continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s (Court of Justice of the European Union) judgment in Data Protection Commissioner vs Facebook Ireland Limited and Maximillian Schrems," DPC said.
In 2013, Austrian activist Maximilian Schrems filed a complaint against Meta Ireland in the Irish Data Protection Commission, seeking prohibition of his personal data transfer by Meta Ireland to the US under the Safe Harbor Framework.
According to the US Federal Trade Commission, the framework provides a legal mechanism for companies to transfer personal data from the EU to the US. Schrems argued that US law does not ensure sufficient privacy against surveillance activities in relation to the transfer of data between the US and EU. Following this in October 2015, the CJEU, invalidated the Safe Harbor Framework in Schrems vs Data Protection Commission case. Following this, Meta Ireland transferred data to Meta US using standard contractual clauses. However, DPC argued, following a complaint by Schrems that the manner in which data is transferred from Meta Ireland to Meta US can be the US government, which is not compatible with the US law. The initial enquiry regarding this commenced in August 2020 and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021.
"While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment," DPC said in a statement.
In response to the DPC's decision, Meta said that the company is "disappointed to be singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe."
"Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day," said Nick Clegg, Nick Clegg, President, Global Affairs & Jennifer Newstead, Chief Legal Officer, Meta.
"Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years," he added.