At a crucial time for international data flows, the EU has fined Meta a record €1.2 billion for privacy violations.
The fine is the highest ever for a violation of the GDPR, which was introduced to protect personal information. According to EU regulators, Meta broke the rules by transferring user data from the block to the US for processing.
The Facebook owner made these transfers on the based on Standard Contractual Clauses (SCCs), which govern the flow of personal data. But an EU investigation has found that SCCs provide insufficient protection against US surveillance.
Andrea Jelinek, President of the European Data Protection Council, called the breach “very serious” because the transfers were systematic, repetitive and continuous.
“Facebook has millions of users in Europe, so the amount of personal data transferred is huge,” she said. “The unprecedented fine is a strong signal to organizations that serious violations have far-reaching consequences.”
Meta called the fine “unjustified and unnecessary” and said it would appeal the ruling.
The intervention could be crucial for data transfer in a broader sense. Lawmakers in the EU and the US are currently developing a new transatlantic data privacy framework that would clarify the requirements for the cross-border movement of information.
Nick Clegg, Meta’s head of global affairs, said the new ruling ignored progress being made in this area. He called it “a dangerous precedent” for data transfers that jeopardize the foundations of an open internet.
“Without the ability to transfer data across borders, the internet threatens to split into national and regional silos, limiting the global economy and depriving citizens in different countries of access to many of the shared services we have come to rely on. confidence,” said Clegg.
Of course Clegg has every interest in facilitating data flows to the US, but he is not the only one who wants digital borders to disappear. So says Janine Regan, legal director of data protection at the law firm Charles Russell Speechlysis there a political agreement on both sides of the Atlantic to resolve the issue.
“It is likely that an alternative transfer mechanism will be ready in the course of the summer meta need not completely suspend transatlantic transfers, but this will be of little consolation to a company facing such a record fine,” she said.
Dangerous times for data breaches
The new ruling also serves as a warning to other companies that pass on data. Chris Linnell, Principal Data Protection Consultant at cybersecurity firm Bridewell called it “a stark reminder” that SSCs alone do not sufficiently protect personal data.
He advised all organizations to carry out transfer risk assessments when processing personal data outside the EU. In addition, he recommends regular ongoing assessments of compliance and potential risks to data subjects.
“Ultimately, contracts between parties will not provide protection when receiving organizations have to fulfill their own legal obligations when it comes to national oversight laws, such as FISA in the United States,” said Linnel.