After Meta was hit (sort of) with a €1.2 billion fine last week by the Irish Data Protection Commissioner (DPC) for the unlawful transfer of European Union data to the United States, the headlines worldwide focused on the huge European fine, the largest yet imposed under the five-year-old General Data Protection Regulation (GDPR).
But, as details soon clarified, this was not quite the case of a data-protecting David of Ireland slinging a fine at mighty Goliath Meta. It was the EU’s data-protection oversight body, the European Data Protection Board (EDPB), which effectively imposed the fine, overruling Irish Data Protection Commissioner Helen Dixon’s initial intention only to require that Meta halt transfers within six months.
At issue was Facebook/Meta’s use of legal agreements called standard contractual clauses (SCCs) to transfer the data of hundreds of millions of people in the EU to the US, where – as the Court of Justice of the European Union (CJEU) has ruled in several landmark cases – the data of EU citizens is not given the same level of protection as in the EU.
Data-protection authorities (DPAs) in Spain, Austria, France and Germany disagreed with Ireland’s initial proposal, triggering the EDPB’s resolution mechanism. After assessing the case and the views of DPAs, the EDPB’s binding decision was for the inclusion of the record fine, alongside the requirement to halt transfers.
Be thankful for that, because the DPC’s reasoning not to impose a fine makes little sense, representing a conclusion of ‘just because you can, doesn’t mean you should’ in a situation where the more appropriate reasoning was ‘you should, because you can’.
The GDPR’s article 83 states that fines should be “effective, proportionate and dissuasive”. But Dixon had argued that a fine would not be dissuasive, explaining in a statement last week that “the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being ‘appropriate, proportionate and necessary’ to address the infringement”.
The EDPB disagreed, noting that “taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta [Ireland] committed an infringement of significant nature, gravity and duration,” adding that “the imposition of an administrative fine in addition to the suspension order would have an important deterrence effect, which the imposition of a suspension order alone cannot have”.
I’m not sure if Dixon felt a fine wouldn’t matter because it would not dissuade the company from making transfers because they’d have to cease anyway, or if it hinged on how paltry a fine of even €1.2 billion is for a company that made €28.65 billion in revenue in the first three months of this year.
But neither fact indicates a company should escape a fine. Deterrence surely has a broader meaning within regulatory policy than enduring a one-off financial slap. No company, no matter how brash, wants global headlines about record fines over its flimsy approach to data protection and privacy, another reputation-damaging hit, especially for a company struggling on many fronts and cutting costs.
A fine also is dissuasive to other organisations, or who might not yet take GDPR compliance with the boardroom-level seriousness required (I’ve written many times about the cavalier attitude of many US companies towards EU data-protection requirements pre-GDPR, some of which obviously continues).
‘Meta must halt data transfers within months’ is hardly attention-grabbing on its own and most coverage mentioned this aspect only in passing, though it is important. A fine is arguably the most dissuasive tool in the entire GDPR toolkit because of its public visibility.
Especially here, as it’s doubtful transfers will cease. US president Joe Biden signed an executive order last year to bring in a new EU-US data privacy framework aimed at making some US adjustments to address its GDPR shortfalls, including new limits on what information security agencies can collect.
Given the global economic shock pending if all EU-US data flows, worth trillions, are halted, most likely it will be in place before the DPC’s deadline.
Still, you can bet Meta will be making contingency plans to manage data within the EU, if the deadline is somehow missed, or – as is virtually guaranteed – the adequacy of the new agreement is challenged at CJEU level.
The huge, underlying problem for companies is not the use of this or that transfer mechanism, but the wide and non-transparent powers given to US security agencies to access data, and whether Biden’s tweaks will meaningfully resolve serious data-protection gaps.
This will become a major headache for the UK as well, as its own security agency GCHQ has even broader powers than US agencies, and the UK must meet GDPR adequacy requirements too.
Much uncertainty remains. A case such as this further spotlights some of the GDPR’s ‘dissuasion’ weaknesses, a topic for separate, upcoming consideration here.