Meta Hit by Record GDPR Fine

By Dave McKay | May 25, 2023

Meta Hit by Record GDPR Fine

Facebook’s parent company is no stranger to fines under European data protection laws, having been served fines of up to €265 million over the last few years. A lot of money, but some have said that to Facebook, it’s a drop in the ocean.

The latest fine to be levied against the social media giant is enough to quash those complaints, €1.2 billion times over. That’s $1.3 billion US dollars. There’s isn’t a company on the planet that isn’t going to notice that coming off their bottom line.

The CJEU (European Court of Justice) has ruled that Meta have transferred personal data belonging to European citizens to the United States. This has been done in breach of Article 46(1) GDPR.

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

GDPR Article 45(3) refers to adequacy decisions. If the European Commission determine that the data protection legislation of the target country is sufficient in their view to provide the same protection and rights as GDPR, transfers to personal data belong to EU citizens to that country are permitted.

As of the time of writing, the list of companies and territories that have been rubber-stamped as acceptable is:

Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay, and the United Kingdom

Notable by its absence is the US. There used to be a framework called Privacy Shield that US companies could adopt and which provided sufficient safeguards that it was awarded a partial adequacy decision. However, this decision was reversed in 2020.

The reason the partial adequacy decision on Privacy Shield was reversed was because of the US’s FISA 702 (Foreign Intelligence Surveillance Act, section 702) which gives the US surveillance powers over foreign nationals, and their data.

Meta will of course appeal but because the CJEU has already determined there was no valid legal basis for the EU-US data transfers, there is little chance that they’ll be successful.

Source: NOYB

Categories

Tags