Meta fined record 1.2 billion for illegal data transfer

The Irish CNIL chose the week of the fifth anniversary of the General Data Protection Regulation (GDPR) to impose a record fine of 1.2 billion euros on Meta, for not having respected the rules of European art in the transfer of data to the United States.

In a decision released Monday, yet another twist in a saga that dates back to a complaint by privacy activist Max Schrems filed a decade ago, it orders the owner of Facebook to suspend its transatlantic data feeds.

The Irish Data Protection Authority gives him five months to “suspend any future transfer of personal data to the United States”. And six months to stop “unlawful processing, including storage, in the United States” of transferred EU personal data. So far, Amazon has held the record with a fine of 746 million euros imposed by Luxembourg.

Ten years of saga

Meta is accused of not having sufficiently protected the data of Europeans from the American security services. Since the Court of Justice of the EU canceled, in 2020, the Privacy Shield, an agreement on the flow of data between the Old Continent and the country of Uncle Sam, Meta used another legal instrument, contractual clauses type (or SCC), to transfer the data. But the Irish CNIL considers that this mechanism does not prevent “risks to the fundamental rights and freedoms” of European Facebook users.

Meta expected this transfer ban and had threatened, in this case, to cease all activity in Europe. However, the prospect of a new agreement on data flows between the EU and the United States, in the middle of the year, could prevent the tech giant from getting there. The deadlines granted to Meta to stop any transfer seem, in any case, to take this calendar into account…

Data Privacy

For several months, Europe and the United States have been working tediously on defining a new framework for data confidentiality between the two continents, the outline of which was unveiled in December and which was the subject of a decree of the American president, Joe Biden, still in negotiation.

Nothing is certain, as the subject is complex and extremely sensitive in Europe. A few days ago, the European Parliament passed a resolution inviting Brussels not to validate this successor to the Privacy Shield, not considering it sufficiently protective.

The case isn’t over as Meta decided to appeal the decision – which its president of global affairs, Nick Clegg, and chief legal officer, Jennifer Newstead, called “flawed” and “wrongful”. . They believe that it “sets a dangerous precedent for the countless other companies that transfer data between the EU and the United States”. Meta is also asking for a reprieve to suspend implementation deadlines.

The Irish CNIL, regularly criticized by privacy protection lobbies for its alleged laxity towards the giants of Big Tech, will undoubtedly be keen to highlight this decision.