of Europe GDPR has just delivered its biggest hammer blow yet. Almost exactly five years since the continent’s strict data rules went into effect, Meta has been hit with a colossal fine of 1.2 billion euros ($1.3 billion) for sending data on hundreds of millions of Europeans to the United States, where the rules of privacy are weaker. to American espionage.
The Irish Data Protection Commission (DPC), the main Meta regulator in Europe, issued the fine after years of dispute over how data is transferred across the Atlantic. He decision says a complex legal mechanism, used by thousands of companies to transfer data between regions, was not legal.
The fine is the largest GDPR sanction ever issued, dwarfing Luxembourg’s $833 million fine against Amazon. It brings the total amount of fines under the legislation to around €4 billion. However, it is a small change for Meta, which made $28 billion in the first three months of this year.
In addition to the fine, the DPC ruling gives Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos and Facebook posts or return them to Europe. . The decision is likely to attract other GDPR powers, which may affect how companies handle data and arguably strikes at the heart of Big Tech’s surveillance capitalism.
Goal says he is “disappointed” by the decision and will appeal. The decision is also likely to increase pressure on US and European negotiators who are scrambling to finalize a long-awaited new data-sharing deal between the two regions that will limit the information US intelligence agencies can get their hands on. A draft decision was agreed to by the end of 2022, and a potential deal will be finalized later this year.
“The entire trade and commercial relationship between the EU and the US, underpinned by data exchanges, can be affected,” says Gabriela Zanfir-Fortuna, vice president of global privacy at the Future of Privacy Forum, a non-profit think tank. profit. “While this decision is directed at Meta, it deals with facts and situations that are identical for all US companies doing business in Europe and offering online services, from payments, to cloud, social media, electronic communications or software used in schools and public administrations.”
The one billion euro fine against Meta has a long history. It dates back to 2013, long before the GDPR was implemented, when lawyer and privacy activist Max Schrems complained about the ability of US intelligence agencies to access data following the Edward disclosures. Snowden about the National Security Agency (NSA). Twice since then, Europe’s highest courts have struck down data sharing systems between the US and the EU. The second of these sentences, in 2020, made the Ineffective Privacy Shield Agreement and also tightened the rules around “Standard Clauses of Contract (SSC)”.
The use of SCC, a legal mechanism to transfer data, is at the center of the Meta case. In 2020, Schrems complained about Meta’s use of them to send data to the US. Today’s Irish decision, supported by other European regulators, found Meta’s use of the legal tool ” did not address the risks to the fundamental rights and freedoms of data subjects”. In short, they were illegal.