:strip_exif()/i/2004648164.jpeg?f=meta)
The Irish privacy regulator has given Meta a GDPR fine of 1.2 billion euros. Meta violates privacy law by illegally sending user data to the US. More important than the fine is that Meta must stop using the much-discussed standard contracts.
The fine is the highest ever handed out for a GDPR violation. Previously it was the highest fine for Amazonwhich was fined 746 million euros last year. The fine for Meta comes from the Irish Data Protection Commission, the lead regulator in European research on Meta and many other major tech companies who have their headquarters in Dublin. Earlier there were rumors that Meta would be fined at the beginning of this week, but it was not yet clear how high it would be.
The fine revolves around the much-discussed and controversial ‘standard contractual clauses’. Those SCCs are a holdover from the Privacy Shield treaty discontinuation. The European Court of Justice ban the in 2020. Privacy Shield made it possible for tech companies to store data from European users in America, but according to the Court, America would not protect the data well enough. The only shortcut left after Privacy Shield was discontinued was standard contractual clauses. Through such ‘model contracts’, tech companies could claim that they had an agreement with a user for the transfer of data. For example, there would be a good reason to send data to the US.
Critics of Meta have always opposed those SCCs. Max Schrems, among others, has always strongly opposed it. The present case was also brought by him. The Irish regulator now not only issues a fine, but also prohibits Meta from transferring to America via SCCs. That puts a bomb under the business model of the company. Last year, Meta already threatened to stop using Facebook and Instagram in Europe if the contracts were banned.
The decision does not take effect immediately. Meta will first receive a transition period of five months from the regulator. During that period, the company must find a new basis for collecting data from European users. This could be permission, for example. Meta has been working on this for a while: earlier this year it changed the way it collected user data. That method is also controversial. Experts, including Schrems, think that this collection method will also not be allowed by judges and regulators.
meta says in a comment to contest the decision. The company wants to ask the court to stop the fine and the data issuance. “This is not about one company’s approach to privacy – there is a fundamental legal conflict between the rules of the US government and European privacy rights, which policymakers expect to resolve over the summer,” said Meta.
The Dutch Data Protection Authority is satisfied with the fine. “This fine shows what we, as privacy supervisors in Europe, are capable of together,” says chairman Aleid Wolfsen in a response. “Partly thanks to the input of the Dutch Data Protection Authority within the European Data Protection Board, our Irish colleagues arrived at this highest AVG fine ever. Large tech companies have a great responsibility to handle their users’ personal data properly and with European privacy law in hand, we can enforce this.”
Update, 11.49: This article initially described rumors of a fine based on Bloomberg sources. The article has been updated with current information on the actual fine.
Update, 15.09: the reaction of the Dutch Data Protection Authority has been added.
