Meta, better known for Facebook and Instagram, has been fined a record $1.3 billion (€1.2 billion) for allegedly transferring the personal data of EU citizens to US servers. This is by far the biggest GDPR fine since the EU adopted its strict policies in 2016.
The story highlights the disparity between the US and EU regarding their views on data privacy. Compared to the US, which is still struggling with passing a federal privacy law, the EU has been a global trendsetter in reining in on powerful Big Tech companies with strict regulations that protect personal data.
The history behind this penalty dates back to 2020 when the EU’s supreme court ruled that a commonly used data transfer method, known as Privacy Shield, was illegal under the GDPR. The court ruled that Privacy Shield did not sufficiently protect EU citizens from U.S. surveillance.
This decision created considerable regulatory and legal uncertainty for thousands of companies.
At the time of its decision in 2020, the CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. As such, like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR).
Since then, many companies used an alternative for data transfers, known as SCCs or standard contractual clauses.
Facebook claims that at the time, the Court of Justice of the European Union confirmed that SCCs would be legal subject to certain terms.
Monday’s decision confirmed that SCCs were illegal according to the GDPR.
“The fine regarding a GDPR violation serves as a stark reminder of the importance of data protection in today’s dominant digital landscape and the consequences organizations may face if they fail to meet these obligations,” Eduardo Azanza, CEO of Veridas, said in a statement in response to the fine. “The GDPR is designed to safeguard the rights and privacy of individuals. Thus, it’s fundamental for organizations to respect these laws and regulations to not only maintain customer trust and confidentiality but to also avoid such public scrutiny and reputational damage.”