On the 22nd of May 2023, The Irish Data Protection Authority known as the DPC sanctioned Meta for an amount of 1.2 billion euros. Let’s see why.
Since the 1st of August 2016, it has been possible to transfer personal data between the EU and the US thanks to the Privacy Shield. It was a self-certification mechanism for companies established in the United States of America. This mechanism was recognised by the European Commission as providing an adequate level of protection for personal data transferred from the EU to the US.
However, the Court of Justice of the European Union invalidated the Privacy Shield in 2020 with the well-known “Schrems II” decision. Since then, the US is not considered to provide an adequate level of protection for personal data and therefore, if a company wants to transfer personal data to the US, it needs to use other solutions to guarantee an adequate level of protection. It should be noted that the standard contractual clauses, in this case, are not sufficient to guarantee an adequate level of protection in the event of data being transferred from the EU to the US, according to the protection authorities.
Meta transferring data from EU to USA
Meta has not changed anything following the cancellation of the Privacy Shield. This means that Meta has been transferring personal data of EU citizens to the US, even though this is no longer allowed since 2020.
Meta is not known for its respect for its users’ personal data. This is the sixth sanction imposed on Meta by the CPD and the amount is increasing, with the recent 1.2 billion being the highest ever. This new sanction brings the total sanctions imposed on the company to more than 2.5 billion euros.
If we go back a few years, we have all heard about the Facebook-Cambridge Analytica data scandal. This data was used to influence political events such as Donald Trump’s presidential campaign. With that in mind, the sanction does not seem excessive, especially when we can’t be sure what is being done with the transferred data.
What happens next?
On top of the sanction, Meta must stop all data transfers to the US within 5 months and must comply with the GDPR within 6 months. After that, if Meta is still not in compliance, it could become unavailable in the EU territory. On a larger scale, does this decision mean that any US company using standard contractual clauses to process EU citizens’ data has to use another mechanism to ensure an adequate level of protection? This is an important question since numerous companies are doing this, and if the answer is yes, they will have a lot of work to do in order to become GDPR-compliant.
Of course, Meta decided to appeal the decision, but as it was taken by the European Data Protection Board (an independent body where all the EU’s data protection authorities gather) it is not sure if it will succeed. In any case, such a heavy sanction shows that the data protection authorities consider that after 5 years, companies must comply with the GDPR. And, if it is not the case, they will impose heavier sanctions to impose the GDPR.