Why Meta (Facebook) was fined 1B$+?
In a groundbreaking decision, Meta, formerly known as Facebook, was fined $1.3 billion by Ireland’s Data Protection Commission for violating European Union (E.U.) data protection rules. This penalty is one of the most significant since the E.U. implemented the General Data Protection Regulation (GDPR) in 2018, marking a pivotal shift in the enforcement of global privacy laws.
Meta’s breach of the GDPR stems from their failure to comply with a 2020 E.U. court decision, which held that data from E.U. citizens transferred to the U.S. wasn’t sufficiently protected from American security agencies. The case was initiated by Austrian privacy activist Max Schrems, whose lawsuit led to the invalidation of the U.S.-E.U. Privacy Shield pact that had previously allowed companies like Meta to transfer data between the two regions.
According to Article 83 of the GDPR, Meta’s violation could lead to fines of up to €20 million or 4% of the firm’s worldwide annual revenue, whichever is higher. This suggests that regulators are starting to take the GDPR’s stipulations more seriously, indicating a new era in data privacy enforcement. In light of these heavy fines, it’s clear that companies can no longer afford to overlook data protection and must put a higher emphasis on user privacy.
The case also raises larger issues about the international transfer of data. The ruling could result in tech companies being required to store data in the country where it is collected, which would fundamentally alter the borderless way that data has traditionally been handled.
From a GDPR perspective, international data transfers are subject to guidelines to ensure the protection of personal data when it moves across borders. The core principle is that personal data should be afforded the same level of protection regardless of where it is processed.
According to Chapter V of the GDPR, transfers of personal data to countries outside the E.U., also known as “third countries”, can only occur if the country in question provides an adequate level of data protection. The adequacy of data protection is determined by the European Commission based on an assessment of the country’s domestic laws and international commitments pertaining to data protection.
In cases where the third country does not provide an adequate level of data protection, the data exporter must implement appropriate safeguards to protect the data. This could include methods such as binding corporate rules, standard data protection clauses adopted by the Commission, or an approved code of conduct or certification mechanism.
In the case of Meta, the crux of the issue was that the European Court of Justice did not believe that data transferred to the U.S. was sufficiently protected from American security agencies. As a result, Meta’s data transfer practices were found to be in violation of the GDPR, leading to the record-breaking fine.
Going forward, to comply with GDPR regulations, Meta and other similar companies will need to ensure that they are adequately safeguarding the personal data of E.U. citizens during international transfers, in line with the stringent requirements of the GDPR.
This isn’t Meta’s first time facing GDPR penalties. In January 2023, Meta was fined €390 million for forcing users to accept personalized ads, and in November 2022, it received a €265 million fine for a data leak. Other tech giants, like Google and Amazon, have also faced GDPR fines for non-compliance, making it clear that this issue extends beyond just Meta.
In conclusion, this case marks a turning point in the enforcement of the GDPR and a significant development in the global landscape of data privacy. Companies will need to be increasingly diligent about data protection or risk facing serious consequences.
Thank you for reading! Please follow and clap if you liked this article! Feel free to share your thoughts, comments and feedbacks! You can also follow me on Twitter and LinkedIn.
