€ 1.2 Billion GDPR Fine Against Meta for Personal Data Transfers to the US

How to prevent a penalty based on GDPR laws for my business?

Meta, Facebook’s parent company, has been issued a record-breaking fine of 1.2 billion euros, the largest ever imposed under the General Data Protection Regulation (GDPR), by the Irish authorities. The scale of the fine, which could have even extended to over 4 billion euros, highlights the severity of the violations committed by Meta in their handling of user data. This fine has propelled the sum total of Meta's GDPR fines to 2.5 billion euros, accounting for 6 out of the top 10 largest GDPR fines. Moreover, Irish authorities have issued an injunction to halt and reverse personal data transfers from the EU to the United States. About ten years after Max Schrems’ initial complaint to Irish authorities, this fine is a significant step in holding the tech giant accountable and ensuring GDPR compliance. In business-to-business (B2B) operations, the need for technical and organizational measures (TOMs) pertaining to data transfers to countries outside of Europe keeps growing. Data privacy activist Max Schrems points out that the enforcement of these measures could affect any cloud provider based in the United States. Indeed, further related activity by EU authorities seems likely until a new EU-US data transfer framework is established.

What happened so far?

Meta was fined because the transfer of personal data to the United States violates the General Data Protection Regulation (GDPR), specifically the Schrems II ruling. The decision to fine Meta resulted from the fact that US surveillance laws and practices are considered incompatible with the GDPR’s strict privacy standards as specified by the European Court of Justice’s (ECJ) Schrems and Schrems II rulings. It is important to note that the fine does not pertain to the past ten years or even to the date the GDPR came into effect, but only to violations committed since the Schrems II decision on July 16, 2020, which could potentially explain the relatively “small” amount of 1.2 billion euros. The fine was prompted by complaints and lawsuits filed by Max Schrems, a prominent data privacy activist. The European Data Protection Board (EDPB), a newly established body for coordinating GDPR measures among national authorities, played an essential role in enforcing the action against Meta. The fine underscores the importance of safeguarding personal data and upholding data privacy rights in the digital age.

What is the EDPB’s decision?

The EDPB's binding decision 1/2023 forced the hand of the Irish authorities. The Irish Supervisory Authority (IE SA) had decided not to fine Meta or order the company to stop data transfers. The EDPB overruled the Irish decision and forced the IE SA to take action: firstly, Meta had to be be fined for breaking GDPR rules based on EDPB guidelines. Secondly, Meta would have to stop unlawfully transferring and storing user data from the European Economic Area (EEA) within the United States, and thirdly, Meta would have to comply within six months after receiving the IE SA's decision.

Why was the fine set at 1.2 billion euros?

The 1.2 billion euro fine was calculated based on several factors determined by the European Data Protection Board (EDPB). These include the severity of the violation, the large amount of personal data involved, and the significant number of people affected. The extensive duration of the infringement, which is still ongoing, was also taken into account. The EDPB found that Meta IE (Facebook's parent company) had been acting at the highest level of negligence and carried great responsibility. The security breaches affected various categories of personal data, including sensitive information. Additionally, the EDPB established that Meta's service relied on international data transfer.

What does it mean for my business? How to respond?

To respond effectively to the ongoing situation, the following steps are generally recommended:

1. Understand the topic: start by thoroughly educating yourself on the relevant subject matter. Read the appropriate literature, such as whitepapers, official documents and expert analyses, to gain a comprehensive understanding of the implications and requirements.

2. Seek legal guidance: consult with legal experts or data protection officers specializing in GDPR to ensure your actions align with the expectations declared by regulatory authorities, and to obtain professional advice tailored to your organization's specific needs.

3. Review data transfers: examine all personal data transfers within your organization, especially those involving the personal data of EU citizens. Identify which transfers involve US-based clouds and determine their GDPR compliance.

4. Assess the risks: re-evaluate the potential risks associated with data transfers to US cloud providers, taking the recent enforcement measures and fines under consideration. Analyze the likelihood of non-compliance and the potential impact on your business.

5. Address risks: develop a strategy to mitigate risks and to ensure GDPR compliance. This may involve reducing the reliance on US cloud providers, exploring alternative cloud services within the EU and implementing additional safeguards for data transfers. A multi-cloud approach could also be considered. Very sensitive data and its processing would be located with a European cloud provider and other applications would remain with one of the global providers.

6. Introduce changes: implement the necessary changes to align with GDPR requirements and to reduce exposure to potential fines. This might include modifying data processing practices, updating contracts with cloud providers or adopting privacy-enhancing technology.

7. Monitor and adapt: the ongoing EU-US data transfer issues can only be solved by a change in data processing or US surveillance laws. To avoid risks, it is therefore recommended to continuously monitor the evolving regulatory landscape and adjust data management practices accordingly. Stay informed about any updates or changes to GDPR guidelines in order to continuously ensure compliance.

Is this the end of personal data transfers between the EU and the US?

The recent developments do not necessarily mean the end of personal data transfers between the EU and the US. While Meta has hinted at the possibility of discontinuing Facebook services in Europe, they will more likely appeal the decision to buy time until a new EU-US data transfer framework, scheduled for 2023, is in effect. Meta has stated that it will not stop Facebook services altogether. However, it is important to note that the situation may not continue indefinitely, as future legal decisions like ECJ’s "Schrems III" could again impact data transfers between the EU and the US. Consequently, there is an ongoing risk which could lead to a reduction in data transfers and an increased focus on implementing measures to protect these transfers, particularly in the B2B sector. Implications for data transfers with non-EEA countries beyond the US are also likely.

List of abbreviations

• GDPR – General Data Protection Regulation
• EDPB – European Data Protection Board
• B2B – Business to Business
• TOMs – Technical und organizational measures
• ECJ – European Court of Justice
• EDPS – European Data Protection Supervisor
• IE SA – Irish Supervisory Authority
• EEA – European Economic Area