Meta has been issued with a record €1.2bn fine by the for breaching GDPR by transferring data on European users to the US. The fine, issued to Facebook’s parent company by the Irish Data Protection Authority, follows a ruling by the European Data Protection Board, which found that Meta’s use of standard contractual clauses (SCCs) to enable transfers was not compliant with Europe’s data laws. The case could have big implications for transatlantic information flows.

Meta issued with EUR1.2bn fine by the European Data Protection Board. (Photo by Derick P. Hudson/Shutterstock)

Alongside the fine, Meta has been given six months to ensure its data transfer protocols are in line with GDPR.

Meta, which is also the owner of WhatsApp and Instagram, has been fined following a binding decision by the EDPB in April.

EDPB chair Adrea Jenilek said the EDPB found that Meta’s infringement of the rules is “very serious, since it concerns transfers that are systematic, repetitive and continuous.” She explained: “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.” 

It is not the first time Meta has fallen foul of Ireland’s DPC. In January, the social media giant was fined €390m for forcing users to agree to personalised adverts, deemed a breach of EU privacy rules. The company was banned from forcing users to sign up to such advertisements in future.

The IDPC has also fined WhatsApp for breaching transparency regulations around the way it shares data with other Meta platforms.

Meta published a statement in reaction to the ruling, which says the company is “disappointed” to have been singled out when “using the same legal mechanism as thousands of other companies looking to provide services in Europe.”

It says it will appeal the decision, adding that it is “flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”

The Meta statement adds: “We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved.

“It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.”

What is the future for standard contractual clauses?

SCCs are an instrument used by businesses to transfer data between Europe and the US.

They have been widely utilised since the July 2020 ruling in the Schrems II case, which found that the Privacy Shield – an agreement between the US and Europe to enable data to be transferred across the Atlantic – was not compatible with GDPR. This is because US law allows its government to requisition client data from companies on national security grounds, something which is prohibited under European law.

SCCs were not covered by the Schrems II ruling, but their legality has never been tested in court. Because of this, today’s ruling will have an impact on all companies that hold and share data on Europeans, explains Edward Machin, a senior lawyer in Rupes & Gray’s data, privacy and cybersecurity practice.

 “This is a rare case of the first billion euro fine under the GDPR being the least important part of the story,” Machin says. “The ruling that the standard contractual clauses are not a valid mechanism to transfer personal data to the US will have a significant impact on the ability of organisations of all shapes and sizes to lawfully share and receive data from Europe.”

Will EU-US data transfers ever be legal?

It will also kick off a race against time for law makers to finalise the EU-US data transfer framework, a proposed new protocol for exchanging data safely, before the end of the six-month transition period that the DPC has given Meta to bring its transfers into compliance, he said.

The framework was announced last year, and though it has been agreed on a political level, the legal basis for the agreement remains unclear and is likely to be challenged by campaigners. Privacy expert Max Schrems, who brought the Schrems II case, said last year that “the European Commission is again turning a blind eye to US law to allow continued spying on Europeans” by agreeing to the new arrangement.

This means that, despite the record-breaking fine for Meta, regulators are no closer to a solution that they were ten years ago, Machin argues. “Even if the data transfer framework is agreed it will almost certainly be challenged before the European Court of Justice, just like its predecessors, and there is a reasonably good chance that it will also be invalidated,” he says.