Stressing the importance of data protection, Ireland’s Data Protection Committee has ordered Facebook and Instagram-owner Meta to pay the largest fine imposed under the EU’s General Data Protection Regulation (GDPR). The company has been fined Euro 1.2 billion for mishandling people’s data when transferred between Europe and the US.
GDPR has rules for how data can be transferred inside, but also outside, of the EU. US data protection regulations are considered to be less strict than the EU’s. The Irish authority says that “US law does not provide a level of protection that is essentially equivalent to that provided by EU law”.
The authority concludes that in making the data transfers, Meta European headquarters have infringed GDPR.
Meta’s European headquarters are based in Ireland it is therefore Irish data protection authority has investigated the case.
Meta’s head of global affairs, Nick Clegg tweeted that the decision is not about one company’s privacy practices. There is a fundamental conflict of law between the US government’s rules on access to data & European privacy rights, he said.
“We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts. There is no immediate disruption to Facebook in Europe”, he wrote in a blog post.
“The ability for data to be transferred across borders is fundamental to how the global open internet works.
“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”
“That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years.”
Clegg stresses that Meta uses the same legal mechanisms as other organisations.
The Irish authority in its decision says that its decision will bind Meta only. However, it also says that it is clear that the analysis in this decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider may equally fall foul of the requirements of GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.