Five years into compliance enforcement, data protection authorities fined Meta a record €1.2 billion ($1.3 billion) for data sharing practices that violate the EU’s General Data Protection Regulation (GDPR).

The Irish Data Protection Commission (DPC) came to this conclusion after deciding a case where it examined how Meta Ireland continued to transfer personal data of EU users to the United States after a Court of Justice of the European Union (CJEU) ruling that invalidated the data sharing agreement between the two entities.

Meta was using a data sharing practice that was agreed to after the CJEU ruling—called the Standard Contractual Clauses—while EU and U.S. regulators work to establish a new data sharing agreement. However, “these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgement,” the DPC said in a press release.

In its initial review, the DPC found that the data transfers were a breach of Article 41 of the GDPR and should be suspended by the end of October 2023. Only after a review of the DPC’s decision by peer regulators in Europe and the European Data Protection Board (EDPB) was the decision made to issue a fine for the violation.

“The EDPB found that Meta (Ireland’s) infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous,” said EDPB Chair Andrea Jelinek in a statement. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”

In a statement, Meta President of Global Affairs Nick Clegg and Chief Legal Officer Jennifer Newstead said the company will appeal the ruling.

“Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the U.S. government’s rules on access to data and the privacy rights of Europeans,” Clegg and Newstead wrote. “It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been signaled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.”

A Surveillance Conflict

This conflict was originally revealed in 2013 when former U.S. National Security Agency (NSA) contractor Edward Snowden leaked to the press classified documents detailing surveillance programs (operated under Section 702 of the Foreign Intelligence Surveillance Act 1978) that allowed U.S. intelligence agencies to gain access to EU user data from technology companies.

EU resident Maximilian Schrems then filed a complaint with the DPC, claiming that Meta’s transfer of his personal data to the United States was a violation of Irish and EU data protection laws. His complaint ultimately led to the dissolution of Safe Harbor—the data sharing agreement between the EU and the US—in a 2016 decision known as Schrems I.

After that decision, the EU and United States negotiated a new data sharing agreement called Privacy Shield. Schrems, however, decided to also challenge that agreement and was once again successful, in part, because of U.S. intelligence agencies’ access to EU residents’ data. This decision was known as Schrems II,  which allowed companies to use standard contractual clauses (SCCs), along with additional safeguards, to share data outside of the EU in a manner that respected EU privacy regulations while regulators worked to negotiate a new data transfer agreement.

Meanwhile, the DPC continued to assess Schrems’ original 2013 complaint and issued its determination on Monday that Meta was in violation of GDPR and subject to a fine. Schrems’ organization nyob put out a statement after the decision, calling it an example of GDPR enforcement not working despite the decision being in its favor.

“Not only did it take more than ten years for the DPC to reach a first decision (which will now be appealed), the case also required Max Schrems to engage in three sets of litigation against the Irish DPC to force it to do its job. This included the Court of Justice of the EU and the EDPB telling the Irish DPC three times to effectively handle the case. The cost of this litigation is estimated at more than €10 million.”

Others may disagree with the ruling, however, since the DPC’s Monday decision reveals that the SCCs may not be enough to address the underlying surveillance and privacy issues at stake with U.S. intelligence agency practices, wrote International Association of Privacy Practitioners (IAPP) Vice President and Chief Knowledge Officer Caitlin Fennessy and Director of Research and Insights Joe Jonas in a blog post.

“This final DPC decision indicates EU [data protection authorities] do not believe Meta’s use of SCCs and additional safeguards can fill the legal void left by the Schrems II decision, on account of U.S. rules and practices related to government access to data for the purposes of law enforcement and national security,” she explained. “The fact that Meta bears the bruise of such a decision demonstrates, once again, that this is a challenge companies alone cannot fully resolve.”

Instead, pressure will increase on the negotiations between U.S. and EU regulators to craft a new data sharing agreement that respects GDPR and privacy rights.

“The size of this record-breaking fine is matched by the significance of the signal it sends, that time is up,” said Fennessy in a statement shared with Security Management. “If a diplomatic fix doesn’t come soon, the impact across companies will be far greater than the fine itself. All eyes will now turn to the timetables outlined and how soon the adequacy determination for the EU-US Data Privacy Framework can be finalized.”

She added that the Irish DPO’s decision also signals that major risks exist for companies.

The decision “could lead EU businesses to demand data localization from U.S. business partners or to switch to domestic alternatives,” Fennessy explained. “Such shifts could outlast the adequacy process itself.”

The GDPR Effect

Five years after the compliance enforcement date for the GDPR went into effect, it continues to have ripple effects on how people perceive privacy and how regulators protect it.

The regulation has led to European companies spending, on average, more than €1.1 million ($1 million) on privacy, and more than 130 countries have a national privacy law, according to analysis from IAPP’s Jonas.

Don Zoufal, president of CrowZnest Consulting and member of the ASIS International Emerging Technology Community Steering Committee, says that GDPR’s effect has been profound.

“The scope of regulation and its reach to companies operating under the jurisdiction of the EU is extensive,” Zoufal explains. “It directly affects data use for operations, including security operations, for entities incorporated or operating both within the borders of the EU and beyond. The economic power of the EU makes the application of GDPR data protection rules a baseline standard for any company with business interests in the EU.”

Zoufal adds that the regulation also created the Brussels Effect—the influence that the GDPR has on countries around the globe in developing regulatory structures to address data privacy issues and concerns. Recent consumer privacy legislation in the U.S. states of California, Colorado, and Virginia are examples of this effect, he says.

“In the post-GDPR era, security professionals need to be mindful of privacy concerns,” Zoufal adds. “Not only is scrutiny over the use of personally identifiable information (PII) heightened, the very definition of what PII is is changing. As an example, the ability to aggregate data like CCTV imagery with other data source may convert something that was not PII at its collection into something that is PII. Security professionals need to pay increasing attention to what data they collect and how they use data.”

The DPC’s decision could also pose additional problems for the effort to renew some U.S. surveillance practices that conflict with the GDPR, despite U.S. President Joe Biden attempting to enact some reforms to limit what data security agencies can access under the proposed EU-US Data Privacy Framework.

“The executive order would, among other things, create a Data Protection Review Court within the U.S. Department of Justice that allows Europeans to challenge how American intelligence agencies use their data,” according to WIRED.

The Section 702 program is set to expire at the end of 2023 unless the U.S. Congress passes legislation to renew it. Along with international critics, however, Americans have also expressed concerns about the program’s ability to collect data on U.S. citizens without a warrant.

“Although purportedly targeted at foreigners, Section 702 has become a rich source of warrantless government access to Americans’ phone calls, texts, and emails,” according to analysis from the Brennan Center for Justice, which is arguing for significant reforms to the program if it's renewed. “In 2021 alone, the FBI conducted up to 3.4 million warrantless searches of 702 communications to find Americans’ information.”

MOST POPULAR ARTICLES

1. The Balancing Act: How Soft Targets Can Attract Guests While Discouraging Attacks

2. Security Design 101: Best Practices on Complex Design Elements

3. Understanding the EU AI Act: A Security Perspective