Meta (owner of Facebook and Instagram) has received a landmark fine of € 1.2 billion for breaching data protection law when handling EU citizens' data via its Facebook service.
The largest fine ever issued under the General Data Protection Regulation (GDPR).
The fine follows the European Data Protection Board's (EDPB) investigation into Facebook's handling of EU citizens' personal data, particularly the transfer of such personal data to the US.
Transfers of EU citizens' data outside of the EU is treated as a restricted transfer by the GDPR.
The GDPR contains prescriptive requirements of the safeguards and measures which must be put in place before making a restricted transfer to ensure the personal data is transferred to a country or organisation which protects the personal data to the same standard achieved by the GDPR.
One such measure is standard contractual clauses (SCCs), a set of standardised contractual clauses produced by the European Commission containing binding obligations to protect personal data.
The purpose of SCCs is to ensure that personal data transferred across the Atlantic receives equivalent protection afforded by the GDPR.
Meta sought to rely upon SCCs when making the restricted transfer of personal data from the EU to the US concerning its Facebook service.
The EDPB found that the use of the SCCs by Meta did not sufficiently protect personal data to an equivalent standard achieved by the GDPR – primarily due to the US' extensive surveillance laws, which permit US intelligence agencies to access personal data for matters of national security.
In addition to the fine, the EDPB has ordered Meta to bring its data transfers into compliance with the GDPR.
The transfer of personal data between the EU and the US has been the subject of significant review over the previous ten years.
Firstly, former US National Security Agency contractor Edward Snowden brought the issue to public attention when he disclosed that US intelligence authorities accessed people's data via Facebook and Google.
Following action taken by data activist Maximillian Schrems, the previous framework permitting such transfers (the EU-US Privacy Shield) was invalidated in 2020 by the Court of Justice of the European Union because EU citizen's data was not protected to an equivalent standard of the GDPR due to the access rights US intelligence agencies possess.
Since such ruling, international organisations have been relying on alternative measures, including the use of SCCs, to continue the transfer of personal data across the Atlantic.
Since the EU-US Privacy Shield was invalidated, the EU and the US have been in continuing talks and discussions regarding creating a new data transfer mechanism – the EU-US Data Privacy Framework.
The EDPB's fine to Meta comes shortly after members of the European Parliament in May 2023 made a resolution that the proposed EU-US Data Privacy Framework fails to adequately protect EU citizens' personal data, again citing concerns regarding the ability of US intelligence agencies to access the data (amongst other issues).
The decision of the EDPB relates to the protection of EU citizens' personal data.
It, therefore, has no effect on the UK given the UK's departure from the EU via Brexit.
It remains to be seen if the UK's Information Commissioner would follow suit or be influenced by the stance taken by Ireland's Data Protection Commissioner.
The UK has its own data protection regime, which, whilst still closely aligned with the EU's data protection framework, is starting to develop its nuances since Brexit.
Further information regarding the UK's data protection regime can be found in our article, Data Transfers: The New Regime.
For more information and guidance on preparing your business for the changes in data protection law, you can contact our specialist Technology team below:
Blogs