The European Union condemned Meta with a record $1.3 billion fine for transferring European user data to the US.
The European Union fined Meta $1.3 billion for transferring user data to the US. This is the biggest fine since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) on May 25, 2018.
In the past, the social media giant Meta threatened to block its services for users in Europe without a legal basis for data transfers. Now the company was disappointed by the decision of Ireland’s Data Protection Commission and said that it sets a dangerous precedent for a large number of companies transferring data between the EU and U.S..
“There is no immediate disruption to Facebook in Europe,” Nick Clegg, Meta’s president of global and affairs, and Chief Legal Officer Jennifer Newstead said in a statement published by the Associated Press. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” .
The battle had roots in the past, precisely in 2013 when the privacy activist and NOYB founder, Max Schrems, filed a complaint about Facebook’s handling of his data following the revelations of Edward Snowden about the global surveillance program operated by the US.
On December 13, 2022, the European Commission launched the formal process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework on December 13, 2022.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
Clearly, in order to stop shipping user data to the US, Meta might have to make huge investments such as re-distribute its data to European plants. Unfortunately, currently it has only 3 sites in EU out of 25 data centers world wide (21 in the United States and one in Singapore).
The European Union is also ordering Meta to stop holding any data that was transferred from the EU to the U.S. within six months of DPC’s announcement.
“The EDPB adopted its decision on 13 April 2023.” reads the announcement published by DPC. “Consistent with its obligations to adopt its final decision “on the basis of” the EDPB’s decision, the DPC’s decision of 12 May 2023 records the exercise of the following corrective powers by the DPC:
- an order, made pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
- an administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred. The DPC determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision); and
- an order, made pursuant to Article 58(2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland.”
[출처 : SecurityAffairs / 5.22.]