In a seminal moment for international data flows, the EU has fined Meta a record-breaking €1.2bn for privacy violations.
The penalty is the largest ever for a violation of GDPR, which was introduced to protect personal information. According to EU regulators, Meta broke the rules by transferring user data from the bloc to the US for processing.
The Facebook owner made these transfers on the basis of standard contractual clauses (SCCs), which govern the flow of personal data. But an EU investigation determined that SCCs don’t provide enough protection from US surveillance.
Andrea Jelinek, chair of the European Data Protection Board, called the infringement “very serious” because the transfers were systematic, repetitive, and continuous.
“Facebook has millions of users in Europe, so the volume of personal data transferred is massive,” she said. “The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Meta called the fine “unjustified and unnecessary” and said it would appeal the ruling.
The intervention could prove pivotal for data transfers more broadly. Lawmakers in the EU and US are currently developing a new transatlantic Data Privacy Framework that would clarify the requirements for moving information across borders.
Nick Clegg, Meta’s head of global affairs, said the new ruling had disregarded the progress being made on this issue. He called it “a dangerous precedent” for data transfers that imperils the foundations of an open internet.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” said Clegg.
Naturally, Clegg has a vested interest in easing data flows to the US, but he’s not alone in wanting the removal of digital borders. According to Janine Regan, Legal Director for Data Protection at law firm Charles Russell Speechlys, there’s political agreement on both sides of the Atlantic to resolve the issue.
“It’s likely that an alternative transfer mechanism will be ready over the summer so that Meta does not have to completely suspend transatlantic transfers, but this will be little consolation for a company facing such a record-breaking fine,” she said.
Dangerous times for data violations
The new ruling also serves as a warning to other companies that transfer data. Chris Linnell, Principal Data Protection Consultant at cyber security firm Bridewell called it “a stark reminder” that SSCs alone don’t adequately protect personal data.
He advised all organisations to undertake transfer risk assessments when processing personal data outside of the EU. In addition, he recommends regular ongoing reviews of compliance and potential risks to data subjects.
“Ultimately, contracts in place between parties will not act as a safeguard when recipient organisations have their own legal obligations to fulfil when it comes to national surveillance laws, such as FISA in the United States,” said Linnel.
Get the TNW newsletter
Get the most important tech news in your inbox each week.