The €1.2bn Meta fine: what happened and what does it mean for your business?

The sky is falling in. Well, probably not right now. But, the recent decision by Ireland’s data protection regulator to fine Meta 1.2bn Euros is potentially enormously significant for how UK-based organisations transfer personal data to the United States.

The Irish Data Protection Commission concluded that Meta was violating GDPR when it transferred personal data of European Facebook users to the United States using Standard Contractual Clauses (SCCs). This method, they said, did not provide sufficient safeguards against the US’s famously enthusiastic surveillance practices.

In essence, this casts into doubt the viability of SCCs for data transfer practices for DMA members who process EEA data and transfer it to the US under the SCC/appropriate safeguard regime, even if they have other supplemental transfer agreements and measures in place.

In some ways, this result is curious. SCCs are a tool developed by the European Data Protection Board and updated as recently as 2021. Similarly, National regulators have validated these and created guidance and templates. One Meta-sympathetic reading might be that SCCs had been given the legal go-ahead by the regulators who have just fined Meta for using them as a means by which data transfers can be conducted in a lawful way. Arguably, the commissioners have agreed that their own tool is not fit for purpose by their own rules.

But, Meta is in an exceptional situation. SCCs may still be appropriate for businesses dissimilar to Meta due to the substantially reduced risk level of data protection breaches from US security services. But, that premise has not been tested.

This again highlights one of the difficulties with international data protection rules. Risk varies hugely depending on a business’ size. Frankly, it is not even the difficulty between small and large organisations that is the problem, but rather the difference between most organisations and the few gargantuan businesses, of which Meta is one. Meta’s scale of personal data processing, its history of its legal battles with the DPC and EDPB, and its specific relationship with the US government means it is unique in the way it exists across the world and relates to regulators, governments, and individuals.

There may well be a saving grace that will allow us all to forget about this potential spanner in the international data protection works. The European Commission expect the EU-US Data Privacy Framework to be in place in the near future. This will help add certainly to all businesses processing EU personal data and storing/transferring to the US. The US still needs to make amendments to satisfy the EU but, hopefully, this is being resolved as a priority, because the decision does impact business collecting and transferring EU/EEA personal data to the US.

Ultimately, we don’t know how Supervisory Authorities will or won’t act on this decision. Given that there would be a huge collapse in products and services if no one can rely on their 2021 SCCs as confidently anymore, Supervisory Authorities are unlikely to apply the logic of this decision forcefully and rigorously, but instead, take a risk-based approach.

So, for now, and has always been the case, all should reflect carefully on the risks involved with transferring EEA customer data to the USA.

For your business, the best course of action is likely to be carrying on present practices. There is no need for panic, and the situation will likely resolve itself when new US/EU protocols come into force in the summer.

Don't panic. We need not worry about the sky falling in. Yet.