At a glance: Meta's €1.2bn fine
Social media giant Meta (formerly Facebook) has received a record-breaking €1.2bn fine from Ireland’s Data Protection Commission (DPC) for mishandling user information—putting many companies on high alert.
In addition to the fine, Meta was ordered to suspend data transfers between the US and EU and now has six months to stop “unlawful processing, including storage” of EU user data in the US.
Keep reading to learn why Meta was fined and explore the broader implications for privacy and data transfers, including the role of Standard Contractual Clauses (SCCs) and whether companies can actually achieve adequate safeguards in the current legal environment.
Why Ireland's DPC fined Meta
The Irish DPC found that Facebook, a Meta company, had failed to protect EU citizens’ user data by unlawfully transferring that data to the US—a violation of the EU’s landmark privacy law the General Data Protection Regulation (GDPR).
The core requirements from the DPC's decision are:
within 5 months, Facebook must stop transferring data in violation of the GDPR,
pay 1.2 billion Euros, and
within 6 months, stop processing and storing EU residents’ data within the US
This decision bookends a prolonged legal saga involving the now defunct Privacy Shield, several legal challenges by privacy advocate Max Schrems, and disagreements between the Irish DPC and the European Data Protection Board (EDPB) about the adequacy of Facebook’s use of SCCs.
The €1.2bn fine is significant, without question. But the issue we’re exploring here is the DPC’s order that Facebook suspend EU/US data transfers and delete EU citizens’ data currently stored in the US.
The role of SCCs
Many companies, including Facebook, transfer data from the EU to the US using the SCCs updated in 2021—which, theoretically, sufficiently protect EU data from potential US government surveillance. However, the Irish Data Protection Commission argued that Facebook did not achieve adequate safeguards, despite using these SCCs.
In the news surrounding the order, commentators have suggested that to achieve compliance post Schrems II, Facebook would need to fundamentally restructure their data transfer mechanisms—even going so far as to implement full data localization.
Against this backdrop, it’s likely many organizations do not meet the standards expected by the EDPB and other regulatory authorities in the EU. There is significant uncertainty on what, if any, technical and organizational safeguards would be considered sufficient to protect EU residents' data.
Businesses will need to look critically at their processing activities and either draw clear distinctions between Facebook's practices and their own, or restructure their processing to fully localize data within the EU. Transcend customers, for example, can deploy an EU-localized hosting option by default, mitigating the risk of non-compliant data transfers.
Either way, it’s important that organizations assess their risk levels and take steps toward compliance.
Steps businesses can take to decrease compliance risk
Firstly, you’ll need to assess your organization’s current data transfers, including those via third-party vendors, for compliance with SCCs and the guidance set out by the EDPB following Schrems II.
Then, ensure your organization is leveraging technical and organizational safeguards, such as secure data hosting, two-factor authentication, and access controls, to enable extra protection of personal data transfers.
The ICO has created a separate set of guidance, as well as an online tool, designed to assist with performing and analyzing Transfer Impact Assessments.
Finally, a robust privacy program should be put in place to ensure your organization’s data protection policies, procedures, and safeguards are routinely reviewed, tested, and updated. This will go a long way toward reducing the risks of data breaches and regulatory action.
Coming in at over a billion dollars, Meta’s recent fine is a shock to the system for enterprise companies using SCCs for data transfers. To ensure compliance and mitigate risk, businesses need to ensure they have adequate safeguards in place.
While it’s likely that businesses will continue to adopt a risk-based approach to data transfers, the Irish DPC’s decision makes clear the importance of ensuring that personal data is protected at every stage of the process.
Businesses must take these privacy regulations seriously and adopt a proactive compliance approach—or else risk hefty fines and reputational damage.