The owner of Facebook, Meta, has been fined €1.2bn (£1bn) for mishandling people’s data when transferring it between Europe and the US.
The Irish Data Protection Commission (DPC) recently published its decision and issued a press release concerning the transfer of Facebook users’ personal data from Meta in the EU / EEA to Meta’s head office in the United States. The DPC in Ireland has jurisdiction over Meta, as Meta’s European headquarters are in Dublin.
It is the biggest fine ever levied for breach of the general data protection regulations (GDPR). The regulations are stringent and you must have at least one lawful purpose for processing personal data. Collectively, there are six lawful bases for processing data which are set out in Article 6 of the GDPR. These are:
- Clear consent given by an individual to process their personal data for a specific purpose;
- The processing is necessary for a contract that you have with an individual;
- The processing is necessary for your compliance with the law;
- The processing is necessary to protect someone’s life;
- the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; and
- the processing is necessary for your legitimate interests or the legitimate interests of a third party.
Facebook have been given at least five months to suspend future transfers and six months to stop unlawful processing and storage of data in the US. Meta also own Instagram and WhatsApp, however they have not been involved in this.
The DPC punishment stems from a legal challenge brought by an Austrian privacy campaigner, Max Schrems, over concerns that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred.
The decision is going to be appealed by Meta, as they have stated that the decision was “unjustified and unnecessary” and sets a “dangerous precedent”.
The GDPR is a European data protection law that gives individuals more control over their personal information. It sets out rules companies must follow to transfer user data outside of the EU such as gathering consent. Companies of all sizes that target customers in the EU must evaluate and adjust their data collection practices to meet the requirements.
Complying with this European regulation on data protection means ensuring data is collected, used, and stored legally. This includes gathering consent from data subjects, disclosing why information is collected and how it is used, and keeping the data secure.
If you’d like to know more detail about GDPR, please click here.
How does this effect businesses in the UK?
Since Brexit, the UK sits apart from the 27 EU member states. In the UK, the Information Commissioner has recently indicated somewhat of a change in direction. Fines are still considered important and will be used where truly needed, such as, where contravention of the GDPR has caused the most harm or the business in question has profited from the non-compliance. However, the Information Commissioner’s Office (ICO) is pursuing other options to enforce data protection regulation, such as reprimands and the publication of investigations.
The ICO has also announced its continued approach to focus on big tech and its commitment to safeguarding vulnerable groups, including the use of children’s data.
Here at Berry Smith, we advise businesses on their GDPR obligations on a daily basis. If you need advice on your GDPR or data protection obligations, please do not hesitate to contact us at firstname.lastname@example.org or on 029 2034 5511.