Meta/Facebook fined $1.3 Billion for Breaches of the GDPR
2 Keys to Avoiding a Similar Fate
By Paul Sutton, HSP General Counsel
The complications of avoiding breaches relating to the European Union (EU) General Data Protection Regulation (GDPR) were once again laid bare this week. Meta’s platform Facebook was on the receiving end of a record-breaking fine totaling $1.3 billion (1.2 billion EURO) imposed this week by Ireland’s Data Protection (EU) regulator, sending shockwaves around global business circles.
Meta has been given five months to implement the suspension of Facebook data transfers from the EU to the US and has been given six months to stop the processing (including storage) in the US of personal EU data already transferred across the Atlantic.
This substantial punishment was imposed due to a finding by the regulator that there were violations of EU privacy laws as Facebook users within the EU were having personal information sent to the United States. This is not the first time a major multinational company has fallen foul of these laws, with Amazon having been charged and fined for similar breaches to the amount of $805.7 million (746 million EURO) in 2021.
Meta’s EU base is in Ireland, and it said it had been wrongly “singled out” by the Irish regulator. Meta says that thousands of other businesses in the EU use the same data transfer mechanism to validate transatlantic data transfers to the US (‘Standard Contractual Clauses / “SCC”) that Facebook have been sanctioned for relying upon. The Irish regulator has now said that SCCs give insufficient protection for data transferred to the US. They state this is because European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across the Atlantic following concerns resulting from the Edward Snowden revelations.
Meta is launching an appeal against the penalty and the regulator’s findings, but it is unclear when that will be heard.
Let’s look at 2 of the key steps you can take to help avoid falling into the traps Meta has faced this week.
Step 1: Don’t drop the homework.
Since the passing of the EUs signature GDPR law on May 25, 2018, compliance issues around data protection in the EU and any country in the world that receives the data of EU residents has become a very slippery slope. There are 98 articles outlining all the of the framework in place for the GDPR. It is a highly complex and detailed law, and the GDPR is in fact one of the most extensive pieces of legislation of any nature to be passed into law in the EU in the past 50 years. The requirement from policymakers is that you are fully aware of and compliant with every aspect of the GDPR and are ready to maintain its many internal and external data policies and all the many other legal compliance requirements from the word go.
The GDPR legislation is so complex and voluminous it is simply not possible to achieve compliance without specialist input and assistance. HSP is well placed to provide the professional assistance to advise on all aspects of GDPR (and other global data protection frameworks). HSP’s specialist in house privacy counsel have advised extensively on every aspect of the GDPR since its inception in 2018 and have experience of advising on data protection issues in over 140 countries in the world.
Step 2: Act as though you’re headquartered in the EU.
The jurisdiction of the EU in enforcing GDPR is not location exempt. The GDPR has what is called “extra-territorial jurisdiction” which means that the EU regulators can pursue infringements of the GDPR against any organization in the world even if that organization has no presence and no employees in the EU. If you collect (or “process”) the personal information / data of any EU residents, then you are subject to the full compliance requirements (and potentially the full range of sanctions) of the GDPR no matter where you are located.
In defending their stance this week Meta have cited the importance of data sharing between the US and EU considering a ‘global open internet’ as vital in offering goods and services to customers around the globe, referring to progress being made in addressing EU concerns over US data surveillance.
These may or may not be valid geopolitical points. As of now, they remain separate to the absolute requirement for strict compliance with the GDPR regulations within the EU. You too could potentially be subject to draconian penalties if you collect the data of any EU residents (irrespective of which country outside the EU it is collected in or transferred to) and you are not FULLY compliant with all aspects of the GDPR. It is vital that organizations review their position and take urgent steps to address any current non-compliance with the GDPR.
Work with experts
HSP Group offers the expertise you need to keep compliant with GDPR across all your organizational practices to help avoid the operational, commercial, financial and reputational damage that will result from sanctions for infringements. We specialize in helping companies just like yours expand internationally with ease. Whether you need GDPR advice for the EU or UK or any other data protection service for other countries globally, we tailor our engagement to your needs and will be happy to discuss any aspect of that service with you.
About the author: Paul Sutton is an HSP General Counsel and one of the most experienced data privacy lawyers in the UK. He has advised on data protection requirements and compliance in around 140 countries. Contact Paul at firstname.lastname@example.org