Facebook’s owner Meta has been fined €1.2bn ($1.3m) by EU regulators for violating the Common Facts Protection Regulation (GDPR), the Irish Knowledge Protection Commission (DPC) declared on May well 22, 2023.
The Irish watchdog claimed that Meta’s transfers of personal knowledge to the US on the foundation of typical contractual clauses (SCCs) due to the fact 16 July 2020 violate GDPR.
In 2020, the European Court of Justice revoked the Privacy Protect, an EU-US data flows agreement, above fears of US surveillance practices and limited the use of SCCs.
While the EU and the US are working on a new details stream deal expected later on this calendar year, Meta and other multinational providers have continued to count on the previous agreement illegally, the DPC claimed.
Meta has been supplied till Oct 12, 2023, to halt relying on SCCs for their transfers.
This is the biggest great imposed under GDPR, amounting to virtually twice previous report of €746m ($808m) issued to Amazon by Luxembourg’s information defense authority (CNPD) in July 2021.
Andrea Jelinek, chair of the European Facts Security Board (EDPB), justified the amount, indicating that “Meta IE’s infringement is really major considering the fact that it issues transfers that are systematic, repetitive and continuous. Fb has hundreds of thousands of end users in Europe, so the volume of personal information transferred is huge. The unparalleled good is a strong sign to corporations that significant infringements have much-achieving outcomes.”
A Wake-Up Phone to US Campanies
According to Edward Machin, a senior attorney in Ropes & Gray’s details, privateness & cybersecurity exercise, the total of the wonderful is “the minimum important component of the tale.”
“The DPC’s ruling that the typical contractual clauses are not a valid system to transfer own data to the US will have a considerable affect on the skill of companies of all designs and sizes to lawfully share and obtain knowledge from Europe,” he told Infosecurity.
“It will also kick off a race against time for lawmakers to finalize the EU-US information transfer framework right before the conclude of the six-month transition period that the DPC has specified Meta to deliver its transfers into compliance,” Machin stated.
John Magee, the head of information defense, privacy & cybersecurity at DLA Piper Ireland, agreed.
“While the scale of the DPC’s report-breaking wonderful is absolutely eye-catching, the suspension order will in all probability chunk substantially harder for Meta, both of those operationally and commercially,” he explained.
Machin also expects the forthcoming new facts circulation arrangement concerning the EU and the US will possibly not address the case.
“This saga has been rumbling on for extra than a ten years and we are nonetheless no closer to a lasting answer. Even if the knowledge transfer framework is agreed it will nearly certainly be challenged ahead of the European Court docket of Justice, just like its predecessors, and there is a fairly good chance that it will also be invalidated. In the meantime, companies on equally sides of the pond are caught in a groundhog day that will continue on to price tag substantial time and money whilst not giving the authorized certainty that certainly isn’t far too much to request for at this issue,” Machin explained.
Magee also argued that this wonderful could act as a wake-up phone for US providers. “Leaving aside the specifics of the extensive-jogging circumstance in opposition to Meta, the DPC’s choice also carries major implications for organizations across all sectors engaged in the day-to-day activity of international transfers of particular info. […] And while worldwide knowledge transfers are even now possible to lawfully have out, the DPC’s conclusion has now lifted the stakes, focusing focus on the controls that organizations will need to have in spot as perfectly as forcing firms to imagine about their in general information governance techniques.”
Meta has previously been issued 5 other fines less than GDPR, totaling €2.502bn ($2.708bn) fiscal penalty because 2018.
Could 25, 2023, will mark the fifth anniversary of the EU privacy regulation.
Some parts of this article are sourced from:
www.infosecurity-magazine.com