© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

European Union v. Facebook: EUR 1.2B Privacy Infringement Fine

After the European Data Protection Board (EDPB) ruled in April 2023 that Meta (formerly Facebook) was systematically violating provisions of the General Data Protection Regulation (GDPR), Meta was fined a whopping EUR 1.2 billion.

 

The fine was imposed by the Irish Data Protection Commission (DPC), after the EDPB published its binding ruling in April regarding Meta’s transfers of data from Europe to the United States. This thereby effectively compelled the Irish DPC, contrary to its original position, to impose a substantial fine on Meta (exceeding the maximum possible by 20%) in light of the gravity of its violations. Within this context, the EDPB instructed that an order be issued to cease the storage of European users’ personal data in servers in the United States, which Meta transferred in violation of privacy protection laws.

 

Information Transfer Mechanism

 

The transfers of personal data to the United States were based on a contractual mechanism known as standard contractual clauses (SCCs), which are designed to regulate the transfer of personal data from Europe to countries found to have an inadequate level of privacy protection. Meta was forced to start using this mechanism back in 2020, when the Court of Justice of the European Union (CJEU) ruled that the privacy shield mechanism, which allowed the transfer of personal data between the EU and the US, was invalid. The CJEU reached this ruling due to its concerns about the level of protection afforded to personal data in the United States, particularly since the American intelligence agencies can access such information. This ruling, known as Schrems II, also emphasized the need for companies to perform examinations of the legal situation in the target country of the data transfer, as well as of the safeguards needed in relation to the transfer of information. The ruling further found that reliance on the SCC mechanism per se does not constitute compliance with the regulatory provisions.

 

The Irish DPC’s ruling stated, inter alia, that Meta failed to take sufficient measures to ensure an adequate level of protection for the personal data being transferred and stored in servers in the United States and that it failed to take adequate measures to protect its users’ information, contrary to the Schrems II ruling.

 

Implications of the Ruling

 

Risk assessments

Global companies with operations in Europe should recognize the risk of transferring personal data to the United States, including through the use of cloud providers. If, up until now, the prevailing opinion was that the issue of transferring data to the United States would be resolved soon and, in any case, there was no reason to think that law enforcement agencies would impose fines for transferring such data to the United States, this enormous fine imposed on Meta signals to companies that they need to reconsider their courses of action.

 

SCC Status

SCCs are not enough. Companies that fail to take the Schrems II ruling seriously and continue relying solely on these SCCs are exposing themselves to considerable risks. It is important to perform a specific risk assessment with respect to the transfer of information to countries outside of Europe and to avoid, to the extent possible, transferring sensitive information without adequate controls.

 

The EDPB’s Strict Position

The regulatory risk arises not only from state authorities but also from the EDPB. In this instance, the Irish DPC believed that no law enforcement action should be taken, considering that Meta had used SCCs, and it even attempted to reduce the fine. The EDPB disagreed with this position and maintained in its ruling that Meta should be heavily fined. This is major news for global companies operating in the EU, since the EDPB’s position regarding data transfers outside of Europe is exceedingly strict, more so than the approach of most relevant authorities in Europe.

 

What Can We Expect?

The fine will probably not stop companies from using cloud providers in the United States, or stop data transfers from Europe to the United States, but it will definitely speed up the process of finalizing the new arrangement between the EU and the US.

 

It is also likely (and advisable) that the fine will incentivize companies to implement several important internal measures:

 

  1. Performing orderly mapping of transfers of personal information from Europe to countries deemed to provide inadequate privacy protection, especially the United States.
  2. Formulating a risk management policy for these data transfers.
  3. Performing data transfer impact assessments (DTIAs), including analyses of the legal situation in those countries, the types of data being transferred, existing data security measures, and more.
  4. Carefully considering implementing technological and organizational measures to mitigate the legal exposure.

 

***

 

Our firm’s Privacy, Data Protection and Cyber Department is at your service to answer any questions or requests for clarification in this regard and to assist in performing risk assessments.

 

Dr. Avishay Klein heads the Privacy, Data Protection and Cyber Department at Barnea Jaffa Lande.

 

Adv. Ben Norman is an associate in the department.

Tags: Privacy Infringementת European Union