Meta has just been slapped with a whopping €1.2 billion fine imposed by the Irish Data Protection Authority (IE DPA). This happened following the issue of transferring the personal data of European users to the United States.
So, what exactly happened? Well, it turns out that Meta was getting a little too careless with the personal data of European users. Since July 2020, they’ve been transferring this data to the United States using standard contractual clauses. Seems innocent enough, right? Wrong! The European Data Protection Board (EDPB) deemed this whole operation unlawful.
Meta has been ordered to put an end to this data transfer procedure within six months. The Irish Data Protection Commission (DPC) found that Meta Ireland breached Article 46 (1) of the GDPR, which deals with transferring data to third countries. Basically, organizations can transfer data as long as they have proper safeguards and legal remedies in place for data subjects. But, according to the DPC, Meta’s measures fell short of addressing the risks to data subjects’ rights and freedoms.
Now, this inquiry has been going on for a while. It all started back in August 2020, and after a green light from the Irish courts in May 2021, things really started heating up. The DPC had ample time to prepare a draft of the decision, and guess what? Most of the other EU/EEA members supported it.
Andrea Jelinek, the President of the European Data Protection Board (EDPB), didn’t hold back in expressing her thoughts on the matter. She called this violation “very grave” because it involved regular, frequent, and ongoing transfers. Ouch! Jelinek also made it clear that this unprecedented fine should serve as a wake-up call to other companies out there.
Meta has learned the hard way that they need to play by the rules when it comes to data transfers. This will be a lesson to all companies out there.
