LEGAL ALERT: DATA PRIVACY LAW

Meta hit with $1.2 billion fine in E.U. data privacy rules violation

On May 22, 2023, the Ireland’s Data Protection Authority (“IEDPA”) issued a fine of $1.2 billion EUR to Meta.  Meta failed to comply with a 2020 decision by the European Union’s highest court.  Following a long-running inquiry into Meta’s Facebook platform, primarily regarding transfers of personal data from Ireland to the U.S., this ruling requires that Meta stop transferring data about Facebook users in Europe to the U.S.

BACKGROUND

In 2020, the Court of Justice of the European Union issued the Data Protection Commission v. Facebook Ireland, Schrems decision (typically called “Schrems II”) which invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield framework, the privacy framework on which thousands of U.S. companies relied upon to conduct trans-Atlantic transfers of data in compliance with the General Data Protection Regulation (“GDPR”).

In effect, this meant there was no legal means for a company to transfer personal data from the EU to the U.S. Many companies, including Meta, transitioned to relying upon the Standard Contractual Clauses (“SCCs”) a set of contractual provisions that sought to ensure an adequate level of protection for data between two companies, and was hoped to allow trans-Atlantic data transfers to continue. Since the invalidation, ongoing discussions between the U.S. and EU attempted to rectify the inadequacy but they were unable to agree on a new Privacy Shield as of the IEDPA decision.

The May ruling held that the SCCs, revamped after Schrems II, were insufficient to permit data transfer from the EU to the U.S. and issued the $1.2 billion EUR fine following the almost three-year investigation by the IEDPA. For the business world, this is a massive blow to the exchange of information across the Atlantic and impacts every single company engaging in such an exchange. Many companies will be left in limbo since there is presently no GDPR compliant way for them to transfer this critical data.

A grace period of at least five months comes with this ruling.  Meta needs to comply within that period.  This applies only to Facebook and not to Instagram or WhatsApp, which Meta also owns.

MOVING FORWARD

For now, companies operating in the EU should carefully consider how they gather data from the EU.  It is important to note, there is an area of relief in that it is not considered a transfer of data if a company located in the U.S. receives information directly from a data subject in the EU. Similarly, it is not considered a transfer if the data is exchanged within a single party (such as a single company); for there to be a transfer there must be two distinct parties.

For more information or questions, contact Kyle B. Straughan, or the KTC attorney with whom you typically work.