What Meta’s €1.2 Billion Fine Means for GDPR Compliance
Last month, the European Data Protection Board (EDPB) announced an unprecedented fine of €1.2 billion over the data handling practices of Meta, the parent company of Facebook. The penalty is the largest fine ever imposed under the European Union's General Data Protection Regulation (GDPR).
Equivalent to $1.3 billion USD, the fine was issued by the Irish Data Protection Authority over Meta data transfer practices that the EDPB called “systematic, repetitive, and continuous.” The record €1.2 billion penalty was calculated, the EDPB said, to reflect the seriousness of the infringement.
In addition to paying the fine, Meta must bring Facebook’s data processing operations into compliance with Schrems II and the GDPR within six months. This means the company can no longer process or store the personal data of EU users in the US unless it’s in accordance with the GDPR’s guidelines.
In this blog post, we’ll delve into the details of the record-breaking fine and explain its significance to both the GDPR and the data privacy landscape as a whole.
How Schrems II played a role in the Meta fine
In its 2020 Schrems II court case, the EDPB struck down the “Privacy Shield” decision that had previously been used to protect EU personal data transferred to the US. More specifically, it ruled that EU data could not be transferred to the US on the basis of standard contractual clauses (SCCs) alone, since SCCs did not fully protect that data from US intelligence agencies. Instead, additional technological and administrative safeguards would need to be used for companies to remain compliant with the GDPR.
However, regulators say that Meta has continued to transfer EU personal data using SCCs without appropriate safeguards. With millions of Facebook users in Europe, this would amount to massive amounts of personal data that Meta has handled in violation of Schrems II and the GDPR.
In addition to paying the €1.2 billion fine, which Meta has said it will appeal, the company faces the possibility of having to delete vast amounts of data about Facebook users in the EU. Meta has claimed that it is being unfairly punished for practices used by thousands of other data-sharing companies.
“We are … disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” wrote Nick Clegg, the Meta president of global affairs, and Jennifer Newstead, the Meta chief legal officer, said in a statement.
However, the EDPB noted that the unprecedented fine sends a strong message to organizations that serious infringements of the GDPR have serious consequences.
Facebook’s previous fines under the GDPR
This isn’t the first time that Facebook has drawn regulatory attention for failing to comply with EU data protection laws. In 2018 and 2019, the company was fined £500,000 by the British Information Commissioner’s Office and an additional €1 million by the Italian Autorità Garante Privacy organization for its role in the Cambridge Analytica scandal.
And that’s only the tip of the iceberg. In March 2022, Meta was fined €17 million by the Irish Data Protection Commission (DPC) over a series of Facebook data breaches affecting millions of users. Later that same year, the DPC again fined Facebook for exposing EU personal data — this time in the amount of €265 million.
What does the Meta fine mean for GDPR compliance?
First and foremost, the massive penalty is a signal that the EDPB is serious about enforcing its data privacy regulation. If, as Meta argues, there are indeed “thousands of other businesses” skirting the GDPR with their data transfer practices, this fine will serve as a wakeup call that noncompliance is costly.
Second, the record fine — or at least Meta’s official response to it — suggests some ongoing confusion around GDPR compliance. Some businesses have found ambiguity in the GDPR’s requirements, while others have achieved compliance only to find that court cases like Schrems II are regularly changing those requirements.
Finally, the EDPB’s requirement for Facebook to stop storing the personal data of EU individuals will likely be difficult to complete in the given six-month timeframe. However, there are some indications that Meta may not have to. That’s because the EU and US are currently negotiating details of the new EU-US Data Privacy Framework. If finalized, the deal might nullify much of the EDPB’s ruling — and enable Meta and other companies to legally continue transferring the data of EU individuals to the US.
It’s uncertain how the EU-US Data Privacy Framework decision will pan out. But for now, the message is clear: comply with the GDPR or face severe consequences.
Strengthening your data privacy for GDPR compliance
ShardSecure can help companies strengthen their data privacy and protection in support of GDPR compliance. Our technology meets Use Case 5 of Schrems II and allows organizations to prevent unauthorized access to personal data.
More broadly, the ShardSecure platform maintains the security, privacy, and resilience of unstructured data on-premises, in the cloud, and in multi- and hybrid-cloud environments, keeping it safe from unauthorized access. It offers easy plug-and-play implementation without unnecessary changes to employee workflows, and it only requires a few lines of code change for integration.