Meta has been fined a record 1.2 billion euros (US$1.3 billion) by the European Union following an investigation into Facebook’s transfer of personal data since July 2020.
In addition, Meta has been ordered to stop the illegal processing and transfer of personal data of European residents to the US by October.
The fine stems from an investigation by the Irish Data Protection Commission (DPC), acting on behalf of the European Data Protection Board (EDPB). As the Associated Press notes, It’s part of a battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data after a former National Security Agency contractor. Edward Snowden’s revelations Electronic surveillance by US security agencies. This included the disclosure that Facebook had given agencies access to the personal data of Europeans.
For various legal reasons, the fine had to be decided by the EDPB, which then ordered the Irish Data Commission to set the total amount within certain parameters.
When the fine was announced, Chairman Andrea Jellinek said The EDPB found that the Meta Ireland breach is “very serious as it relates to transfers that are systematic, repeated and continuous. Facebook has millions of users in Europe, so the amount of personal data transferred is enormous. Unprecedented.” Fines are a strong signal to organizations that serious breaches have far-reaching consequences.
In response, Nick Clegg, Meta’s President of Global Affairs, and Jennifer Newsted, the company’s Chief Legal Officer, issued this statement: “Despite accepting that we had acted in good faith and that the fine was unfair, the DPC was rejected at the last minute by the European Data Protection Board. We are appealing these decisions and will immediately seek a stay from the courts, which could block the implementation deadline, given the damage these orders have caused, including to the millions of people who are dying every day. use facebook.
In 2020, the Meta Statement notes, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, an agreement between the EU and the US on the transfer of personal data of European residents to the US. The CJEU affirmed that an alternative legal mechanism called the Standard Contract Clause (or SCC) would remain valid subject to various legal safeguards. After that, Meta and other businesses considered SCC to be GDPR compliant. However, the Irish Privacy Commission found The SCCs did not address the risks to the fundamental rights and freedoms of data subjects identified by the CJEU in its judgment.
AP story notes Brussels and Washington signed an agreement Meta could use that on a reworked Privacy Shield last year, but the agreement awaits a decision from European authorities on whether it adequately protects data privacy.
In an email, Toronto privacy lawyer Barry Suchman of the McCarthy Tetreault law firm noted that the Irish Data Protection Authority did not agree with the fine. “The decision raises serious questions about the ability of organizations to rely on the adequacy findings of the European Commission,” he said. “The use of standard contractual clauses was supported by the EU. If organizations cannot rely on adequacy findings or procedures, there is something very wrong with EU procedures. It appears that EU procedures are unreliable.” and they cannot be trusted.There is a dire need to review this judgement.”