The timing could hardly have been better for the Irish DPC (Data Protection Commission) to announce that Meta was being fined €1.2 billion for a series of data protection failures.
It came on the week that the GDPR (General Data Protection Regulation) celebrated its fifth anniversary. When the legislation took effect in 2018, it promised to revolutionise the way organisations protect and store personal information and punish those that didn’t meet its requirements.
The introduction of the GDPR came with great fanfare, and commentators homed in on the mouth-watering prospect of penalties of up to €20 million or 4% of an organisation’s global annual turnover – whichever was greater.
In the first few months of the GDPR took era, reports of data breaches eagerly calculated how much a fine would be if it was 4% of the perpetrator’s annual global turnover.
But inevitably, any fines that were issued were a fraction of that amount. Even the first major headline of GDPR enforcement – a €50 million fine against Google – amounted to a seemingly paltry 0.4% of the organisation’s global annual turnover.
Regulators have insisted that this was by design. As the UK’s data protection commissioner at the time, Elizabeth Denham, said:
It’s also true that companies are fearful of the maximum [penalties] allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
Her words were echoed by data protection regulators across Europe, as they insisted that significant penalties would be issued only in extreme circumstances, and that other sanctions – such as enforcement action – would be the first resort.
However, things took a major turn earlier this month with landmark ruling against Meta. The €1.2 billion penalty represents almost a third of the €3.9 billion that has been levied in fines in the GDPR’s five-year history.
So what exactly changed, and can we expect more fines like this?
Anatomy of a fine
The scale of this penalty might suggest that Meta suffered a catastrophic data breach, but the problems were instead systemic and insidious – relating to the way the Facebook-owned company transferred personal data provided to the social network site from the EU to the US.
This form of data transfer used to be possible thanks to the EU–US Privacy Shield and, before it, the Safe Harbour Agreement, but both were invalidated after it was deemed that they didn’t meet EU data privacy laws.
In their place, organisations including Meta have used SCCs (standard contractual clauses), which are effectively pre-approved templates containing rules for data protection.
However, the DPC ruled that Meta breached the GDPR by failing to properly safeguard personal data with these clauses. It said that the tech giant’s systems “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [court of justice] in its judgment”.
Our EU–US GDPR Data Transfer Assessment and Action Plan provides the support you need to comply with the GDPR while transferring personal data outside the EU.
We will conduct a thorough assessment of your data transfer practices and requirements, offering step-by-step advice on how to complete data transfers efficiently and in accordance with the GDPR’s requirements.
Meta says that it has been “singled out” for its use of SCCs, noting that it’s “using the same legal mechanism as thousands of other companies looking to provide services in Europe”.
It added: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
By contrast, the data privacy activist Max Schrems was pleased with the fine, which amounts to almost exactly 4% of Meta’s annual global turnover.
Not everybody was satisfied, though. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, was more blunt in his assessment: “A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally.”
Change of the guard
For those hoping for stricter enforcement of the GDPR, the Meta fine could be viewed as a catalyst for change. However, it isn’t entirely unprecedented. In fact, it’s the sixth penalty that Meta and its subsidiaries have received under the GDPR, with the other five accounting for an additional €1.35 billion.
Elsewhere, Amazon was given a €746 million fine in 2021 – and as has become standard practice, it has protested its innocence and fought the penalties in the appeals process.
This adds another challenge for regulators looking to solidify the powers granted to them under the GDPR, but it does appear as though attitudes are changing.
In the early days of the GDPR, data protection authorities focused on guidance to help organisations towards better habits rather than punishing them for not changing their ways.
As Andrea Jelenik, the chair of the EDPB, told a recent panel discussion at the IAPP 2023 Global Privacy Summit:
When we started from scratch we had to give guidance because everyone wanted to have guidance because the elephant in the room in 2018 was the GDPR. Everybody was thinking now it’s done. No, it was the start of a really big journey.
Over time, however, the supervisory authorities have shifted their position from guidance to enforcement.
Where they once steered non-compliant organisations towards improved data protection practices – especially during the coronavirus pandemic, when the sudden introduction of remote working provided a host of new challenges for organisations – they now issue fines.
As Jelenik said, organisations now “have to show that they’re compliant and if they’re not, they will be fined”.
We also shouldn’t dismiss the fact that we have even made it to the point where fines are being issued. Even when regulators have more intent to fine, they have struggled to complete investigations.
This has been seen most clearly in Ireland, so to have this case – the result of a years-long investigation from the DPC – reach this stage is a major positive development.
The DPC under fire
There have been objections over the way the GDPR has been enforced since its early days. Data protection authorities have taken their time conducting investigations, which is perhaps understandable given the complexity of the Regulation’s rules, the number of complaints being made and the stakes for compliance.
Many of these investigations have been helmed by the DPC, given that Ireland is the European home of tech giants such as Meta and Google. The authority has been bombarded with complaints and has been forced to juggle several complex regulatory investigations simultaneously.
This has not only prevented Big Tech from facing the consequences of previous regulatory infractions but has arguably encouraged them to continue ignoring the law in the knowledge that punishment can be years away, if at all.
Although the DPC will point to the number of high-profile fines it has issued (it accounts for five of the six largest fines), it still has several major investigations that remain active, with some dating back to 2018 when the GDPR came into effect.
Compounding the problem are accusations that the DPC is too lenient with tech giants, an issue that came to a head earlier this year with a controversial multi-year investigation into Facebook and Instagram.
The authority initially concluded that the Meta-owned platforms were entitled to collect personal data under the lawful basis that individuals were entering into a contract and their information was necessary to fulfil its terms.
However, the EDPB (European Data Protection Board) intervened and ordered the DPC to rethink its interpretation of the GDPR. Eventually, the decision was overturned and Meta was given a €390 million fine.
This case was one of the driving forces for the European Commission’s review plan to help data protection authorities apply the Regulation’s rules correctly.
As part of the process, the European Commission will measure how long each procedural step in a case is taking, and what the relevant data protection authorities are currently working on.
In a statement, Johnny Ryan said: “The European Commission’s new commitment should transform Europe’s data and digital enforcement.
“Previously, big cases lay dormant for years. Now, we should see acceleration in investigation and enforcement, and it will be clear where the European Commission needs to take swift action against Member States that fail to apply the GDPR.
“This heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech.”
Paving the way
The European Commission and domestic regulators might now have a keener eye on investigations, but there remain the challenges related to transatlantic data flows – the issue that kicked off the investigation into Meta and its eventual €1.2 billion fine.
Meta was forced to use SCCs because regulators in the EU and the US have not been able to agree on a data sharing framework. A major stumbling block is the freedom given to governments under US law to monitor personal data as it flows into the county, which is a violation of data privacy rights under the GDPR.
Both the Privacy Shield and the Safe Harbour Agreement were invalidated because the two sides couldn’t reach a compromise on this. Meanwhile, the latest proposal – the EU–US Data Privacy Framework – looks as though it will meet a similar fate.
At first glance, the text appeared more robust than previous mechanisms, and President Biden gave his assurances that the US would curb government surveillance. However, the European Parliament voted in favour of reopening negotiations after members raised concerns about its validity.
The committee concluded that there are still no robust government surveillance safeguards or mechanisms that give EU residents’ transferred data “actual equivalence in the level of protection”.
It also noted that President Biden’s executive order didn’t prohibit the bulk collection of personal data by US surveillance bodies. Moreover, the president – whether that’s Joe Biden or a successor – is free to revoke or amend executive orders.
This could mean, for instance, that the US could expand the list of legitimate national security objectives, changing the way that personal data collection works.
If these problems aren’t fixed, organisations such as Meta will struggle to find a lawful way to make transatlantic data flows.
Max Schrems, weighing in on the debate, said: “The simplest fix would be reasonable limitations in US surveillance law. There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance.”
He adds that, without protections for EU customers, “any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision [as Meta] under EU law.”
Reflect – review – refresh
Whatever your current GDPR practices look like, it’s important to remember that GDPR compliance is an ongoing process.
To ensure you continue to meet your data processing obligations, you need to regularly reflect on the requirements that affect your organisation, review your data processing activities and then refresh your compliance programme accordingly.
IT Governance has been at the forefront of GDPR compliance solutions since its inception. In the past five years:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.