The Record EUR 1.2 Billion GDPR fine in a Nutshell
Meta Ireland has on the 22 May 2023 been given a record fine of €1.2 Billion by the Irish Data Protection Commission for infringing the General Data Protection Regulation (‘GDPR’) measures on data transfer to third countries, that is, outside the EU/EEA.
Brief history of GDPR data transfers
Under the GDPR, the carrying out of data transfer to third countries can only be done where it is guaranteed that the receiving country has in place an adequate level of data protection equivalent to that of the GDPR. Particularly for transatlantic data transfers, the EU-US Privacy Shield put aside any such concern for data transfers from the EU to the US – one of the main cross-continental data routes for Silicon Valley. This was until the EU-US Privacy Shield was invalidated.
Recent GDPR developments
Following the Schrems II CJEU judgment, the EU-US Privacy Shield could no longer be relied on since it did not meet the standards of an essentially equivalent level of protection as afforded by GDPR, mainly due to the overarching US national security rights which do not guarantee the fundamental rights to privacy and data protection of EU citizens when their data is transferred to the US from the EU. Consequently, data transfers from the EU to the US would now need to be based on a list of GDPR appropriate safeguards.
The Data Controller would be responsible for assessing the extent of safeguards required, in conjunction with the extent required to ensure GDPR equivalent protection. One prominent basis would be the Standard Contractual Clauses (‘SCCs’), as promoted by the EU institutions. However, simply adopting SCCs to the exclusion of other supporting measures to ensure an equivalent level of EU data protection is not sufficient.
Data Protection Commission Decision for Meta
One of the main reasons why Meta was handed down the record GDPR fine was that it did not employ sufficient appropriate safeguards in the course of its data transfers to the US. Whilst Meta did not rely solely on the latest SCCs and had put in place substantive supplementary measures, the Irish Data Protection Commission still found that Meta’s measures and safeguards did not adequately “address the risks to the fundamental rights and freedoms” of data subjects.
Key Legal Issues
- Data Transfers outside of EU/EEA
- EU-US Privacy Shield Invalidated
- Lack of clarify on suitable GDPR ‘appropriate safeguards’
Effects of the Data Protection Commission Decision
The Irish Data Protection Commission Decision raises noteworthy concerns for other businesses that transfer data to the US. Since the invalidation of the EU-US Privacy Shield, businesses have scavenged the GDPR legal regime and European Data Protection Board guidelines to determine the suitable extent of appropriate safeguards to adopt, with no comparative indication.
Businesses have relied on SCCs as one of the main measures whilst adopting other internal policy approaches not defined in the GDPR, with remaining concerns whether Data Controllers are doing enough to address the applicable risk.
What this means for you
Until the new EU-US Privacy Shield is effective, data transfers to any entity not in the EU/EEA, including the US, continue to pose a substantial risk for businesses unless they are fully compliant. Under the GDPR regime, Data Controllers that are found to be in breach of the Regulation may face material fines that can have a material impact on the economic viability of their business. In this regard, GDPR fines can easily reach EUR 20 million, or 4% of an enterprise’s annual revenue, .
How we can help
Chetcuti Cauchi’s data protection lawyers not only embrace technology and privacy in continuous development, but are also able to examine the business’s processes and systems to give advice on suitable Data Protection policies and measures tailored to their particular circumstances, in addition to standard data protection contractual approaches. Given our data protection legal expertise, we are also suitably qualified to provide Data Protection Officer (DPO) assistance.
Data Protection Solutions