A new record for GDPR fines has been set as the European Data Protection Board (EDPB) is requiring Meta to pay $1.3 billion for its international data transfers related to the dissolution of the Privacy Shield framework.
The decision is another major victory for data privacy crusader Max Schrems and his group noyb, the motivating force that upended EU-US data transfers after the Snowden leaks revealed the extent to which they are intercepted and monitored by US intelligence. This particular investigation was initiated by the Irish Data Protection Commission (DPC) in 2020, which had settled on much weaker penalty terms that were overturned by the EDPB.
GDPR fines crack $1 billion mark with Meta penalty
The new GDPR fine beats out Amazon’s prior record, a 2021 tally of the equivalent of $888 million USD for an assortment of data transfer and processing violations. Meta did get off light in a relative sense, however, as the law’s terms would have allowed for a fine as large as $4 billion.
Alasdair Anderson, VP of Protegrity, notes that fines of this size are generally reserved for serious crimes: “Fines in the billions have only previously been reserved for the worst breaches of responsibility. With the €1.2 billion figure casting a large shadow over the previous EU record fine of €746 million handed to Amazon. With the figure comparable to the money laundering scandals of Westpac ($1.3 billion), Danske Bank ($2 billion), and HSBC ($1.9 billion) only further highlighting the importance of this decision to the future of data protection and EU-US data flows. The decision will have implications that will ripple far beyond the tech ecosystem. Industries that are heavily reliant on this data flow, particularly supply chain, manufacturing, and petroleum/chemical will now be considering their use of data more so then ever before. Unlike Meta, for a large number of organisations a fine of this magnitude and a data blackout could have serious implications, putting them in a position they may not survive.”
This particular case has been simmering for nearly a full decade and well prior to the beginning of GDPR enforcement, with initial complaints about Meta’s international data transfers being lodged with the European Court of Justice (CJEU) and EDPB. The centerpoint of the issue is Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for “bulk collection” of internet data flowing into and out of the United States. This collection can be indiscriminate, is not subject to any real judicial oversight, does not allow EU data subjects any access to what is collected or recourse, and the Snowden leaks of 2013 made clear that the NSA and other agencies are prone to abusing it at times.
Schrems and noyb have used this to invalidate two subsequent US-EU data transfer framework agreements, “Safe Harbor” and “Privacy Shield,” the latter of which is backed by a European high court ruling that establishes the terms of these agreements are in violation of GDPR rules. A new agreement in principle was recently reached, but it is widely expected to be challenged in court by Schrems as soon as it is put into effect.
The Irish DPC’s initial decision was to forgo a GDPR fine entirely, merely asking Meta to delete collected data. In addition to the massive penalty, Meta will also be required to track and recover the EU personal information it has already shipped overseas.
EU-US data transfer remains in flux
The GDPR fine is not a completely settled matter, as Meta still has the ability to appeal. Such an appeal would likely be another lengthy process, and could end with the fine amount being reduced and a suspension of the data deletion orders. With an annual revenue of about $117 billion, and about 10% of that thought to come from ads run in the EU, the penalty is a little over 10% of Meta’s yearly earnings in the region.
Meta has threatened to pull its business entirely from the EU if data transfer decisions do not go its way. However, in 2022 the company commenced with the construction of two regional data centers meant for AI functions and has announced plans for a third. Meta’s apparent hope is to push off the GDPR fine until the new international data transfer agreement goes into effect, which would at least buy some time as it goes through another Schrems legal challenge. The ruling gives the company five months before it has to cease its current data transfers, six months before it must clear all applicable data held in the US, and the order also only applies to Facebook.
That might be enough time for the new data transfer agreement to go active; expectations are that it will be in place sometime between July and October. The agreement has dicey changes of long-term survival, however. It adds certain elements that were specifically noted in the prior Schrems court decisions, like an independent Data Protection Review Court meant to give Europeans redress when they feel the US has inappropriately accessed their data, but is still not expected to be found adequate so long as intelligence agencies are still relatively free to access international data with little oversight.
While efforts at passing federal data privacy laws comparable to the GDPR terms continue to wax and wane in Congress, with no clear finish line in sight, at least one major element could be addressed by the beginning of 2024. FISA Section 702 is scheduled to sunset as 2023 ends, and it would take an act of Congress to extend it. Elements of both parties oppose it, but the leadership of both parties voted to extend it in 2018. The Justice Department and intelligence agencies are in support of it. The House Intelligence Committee currently has a working group on it that is generally in favor of renewal, but is pushing for reforms that would restore a sense of public trust.
And while the decision does not automatically shred Standard Contractual Clauses (SCCs) as a legal mechanism, it does force businesses using them to confront the possibility that similar complaints could lead to similar GDPR fines. As John Magee, Head of Data Protection, Privacy & Cybersecurity for DLA Piper Ireland, observes: “While the scale of the DPC’s record-breaking fine is certainly eye-catching, the suspension order will probably bite much harder for Meta, both operationally and commercially. Leaving aside the specifics of the long-running case against Meta, the DPC’s decision also carries major implications for businesses across all sectors engaged in the day-to-day activity of international transfers of personal data. Meeting the requirements of the Schrems II case has already proved a challenge even for the most sophisticated and well-resourced organisations. And while global data transfers are still possible to lawfully carry out, the DPC’s decision has now raised the stakes, focussing attention on the controls that organisations need to have in place as well as forcing businesses to think about their overall data governance strategies.”
Rehan Jalil, President & CEO of Securiti, additionally sees this as a prompt for greater automation: “This highlights the need for automated systems that can provide deep insights into the sensitive data, as well as insights into the context around that data, such as all the regulations that apply, geographic location, access permissions, etc. With these automated insights, organizations can intelligently monitor and alert for potential violations, as manual processes are often inadequate given the sheer volume of sensitive data companies handle.”
