Meta, the parent company of Facebook, was fined a record 1.2 billion euros by the Data Protection Commission (DPC), the Irish privacy regulator. An unprecedented sum at European Union level, which far exceeds that which Amazon was ordered to pay in July 2021, which at the time was 746 million euros.
The DPC, the Irish equivalent of the National Commission for Computing and Liberties (CNIL) in France, accuses the social network of having continued to transfer personal data from its European customers to the United States. In 2020, the Court of Justice of the European Union (CJEU) ruled that the possibility reserved for American security services to be able to access European data was incompatible with European Union law on data protection.
Nick Clegg, head of public affairs for Meta, judged that this sanction, “unjustified and unnecessary”, “set a dangerous precedent for the many companies that transfer data between the US and the EU”. He also announced that he would appeal the decision.
Max Schrems, the activist behind the CJEU ruling, said he happy with this decision. “The fine could have been higher, given that the maximum can be four billion and that Meta broke the law to make a profit for ten years”continued the expert, referring to the first steps taken to have the previous data transfer mechanism invalidated.
Stop all transfers by October
This long-awaited decision of the DPC specifically criticizes Meta for having, for this transfer, used from 2020 the “standard contractual clauses”, a legal mechanism for the transfer of data insufficiently protective with regard to the decision. of the CJEU. The decision only affects Facebook and not other Meta services, such as WhatsApp.
In addition to the fine, the Irish CNIL ordered the platform to cease all data transfers from European Internet users to the United States from October 12. The company also has until November 12 to repatriate the data of Europeans collected since 2020 to data centers located east of the Atlantic.
A decision that should not have an immediate effect, especially for Facebook users. In the meantime, it is indeed likely that a new legal agreement governing the transfer of data will be found between the United States and the European Union. The European Commission and the European authorities are currently in the midst of negotiations, the outcome of which could come in the coming weeks.
The DPC’s decision – and, beyond that, the compatibility between US law and the European personal data framework – concerns most US technology groups. Through the voice of Nick Clegg, Meta also regrets having been “targeted while we use the same legal mechanism as thousands of companies providing their services in Europe”.
In a press release, the Computer and Communications Industry Association, one of the main lobbies in the technology sector, called on the American authorities to apply the decree signed in October by Joe Biden. This text is supposed to give new guarantees to European citizens in terms of personal data and is an important step on the way to negotiations for a new agreement.
The world
Special offer for students and teachers
Access all our unlimited content from 8.99 euros per month instead of 10.99 euros
Subscribe
It is almost certain that the latter, once adopted, will be sued like its two predecessors. Many, including within large “tech” companies, believe that only a reform of American surveillance law is likely to make it compatible with the General Regulation on the Protection of Personal Data (GDPR).
Debate on the role of the DPC
This decision by the DPC is also an important date in the history of this ambitious text on personal data, which will be celebrated on May 25, the 5th anniversary of its entry into application. It gave the DPC considerable regulatory power by setting up “one-stop shops” for large digital companies, which make the national regulator of the country where their European headquarters are located their sole interlocutor. Ireland, which hosts those from Alphabet (Google, YouTube), Meta (Facebook, Instagram, WhatsApp) and Microsoft, is therefore on the front line to investigate complaints against the world’s largest companies in the sector.
Despite a previous fine targeting Meta – 390 million euros in January – the Irish CNIL is regularly criticized by defenders of personal data for its shyness vis-à-vis these digital specialist groups. The DPC’s draft decision was thus amended by the European Data Protection Board, which brings together all the European CNILs, because the fine initially proposed by the Irish regulator had been deemed too low. It is moreover against the EDPB that Meta reserves his harshest words, considering that the fact that he was able to impose his views on the DPC “raises serious questions”.
“It took us ten years of legal battle against the DPC to obtain this result”noted Max Schrems: “The Irish regulator did everything to avoid this decision, but was systematically denied by the courts and the European institutions. It is absurd that this record fine goes to Ireland, the Member State which did everything to ensure that this fine was not imposed. »