Meta Fined Record Amount by the Irish DPC for Data Breaches
Facebook’s parent company, Meta, has been fined a record 1.2 billion Euros by the Irish Data Protection Commission (DPC) for breaking GDPR laws. The fine is the largest GDPR sanction ever to be handed out and has shocked the industry.
Why Was Meta Fined 1.2 Billion Euros?
Facebook was fined by the DPC for mishandling user data and infringing Article 46(1) GDPR by moving the data of its European users on Facebook to the United States. The DPC found that the correct standard contractual clauses were not adopted to address the risks to users’ fundamental rights and freedoms. Standard contractual clauses (SCCs) are legal contracts prepared by the European Commission that contain safeguards to ensure user data is still protected even when handled outside of Europe. Despite this, experts worry that such transfers expose the data of Europeans to weaker US privacy laws and even US Intelligence organisations. In addition to the fine, Meta is required to suspend all data transfers to the US for five months as well as bring its operations into compliance with Chapter V of the GDPR.
In response, Meta has called the fine “unjustified”, because it believes that it has been punished for something that is allegedly standard practice among multinational corporations. However, the DPC found in its inquiry that the Meta was participating in what the Commission describes as transfers that were systematic, repetitive, and continuous infringements of GDPR rules. In this respect, the data protection authority stated that this unprecedented fine was meant to be a strong signal to organisations about the consequences of not following EU data protection laws.
Which GDPR Laws Did Meta Break?
The DPC says that Meta willfully abused standard contractual clauses for its own benefit when it moved European user data to the US. Although moving data between the two continents is legal when done via SCCs, the clauses still require an adequate level of protection for users’ information even in third-party countries. Meta, through Facebook, failed to meet this threshold and was found to be in breach of data protection laws, in particular Article 46 (1) of the GDPR.
Article 46 (1) of the GDPR states that “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
This is a common theme in tech, where the mantra ‘move fast and break things’ is often used. As one senior fellow at the Irish Council for Civil Liberties put it, Meta was essentially being fined a Billion Euro parking ticket when it earns many billions more by parking illegally. The conclusion is that user data is worth a lot of money to tech companies and some do cross the line in pursuit of profits. Fines as large as the one handed down to Meta may just give some of them pause for thought.
What Message Does This Send to Other Companies?
The DPC saw Facebook’s infringements as very serious and therefore wanted to provide a clear signal to organisations that falling foul of data protection rules can have ‘’far-reaching consequences’’. The fine will be a wake-up call to companies that regulatory bodies are willing to hit hard when privacy laws are broken to ensure their services comply with GDPR rules.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.