Meta fined a record amount for GDPR infringements
International dataflows are the lifeblood of modern commerce, allowing businesses to identify and target existing customers and potential new markets. However, as Meta’s recent record fine shows, navigating the regulatory landscape safely is getting harder.
Meta, the parent company of Facebook, has been slapped with a record-breaking 1.2 billion euros ($1.3 billion) fine by Ireland’s Data Protection Commission for breaching European Union data protection regulations. The company was ordered to halt the transfer of data collected from Facebook users in Europe to the United States, following its failure to comply with a 2020 ruling that deemed such data transfers inadequately protected from American intelligence agencies. Meta has expressed its intention to appeal the decision, leading to a potentially protracted legal process.
GDPR – a modern approach to data protection
GDPR set the modern global standard for data protection when it came into force in 2018, and it has since been copied by legislatures around the world. It emphasises the rights of individuals to control their personal information while restricting the freedom of businesses to treat persona information as if it were simply another asset to be commercialised.
GDPR is especially concerned about ensuring that when personal information is transferred between countries it gets to retain the benefit of the highest standards of protection, regardless of the local laws of the destination territory. GDPR will only permit data transfers to less regulated jurisdictions if specific safeguards are implemented, the most common examples being “Standard Contractual Clauses” (SCCs) – preapproved forms of contractual wording that can be easily incorporated into data transfer agreements to provide the requisite protection.
A record fine
In principle, SCCs offer businesses a safe path through the minefield of regulatory compliance. However, as Meta has found out, it is not enough simply to cut-and-paste SCCs into data transfer agreements — they must also be actively and effectively implemented.
In the case of transfers from the EU to the US, the differences between GDPR and US data protection law are particularly stark and probably can’t be overcome just by incorporating SCCs alone. In May 2023, the Irish Data Protection Commission (DPC) held that Meta’s transfer, processing and storage of EU data in the US was unlawful and issued Meta with a record fine of EUR1.2 billion (nearly AUD2 billion), ordering it to suspend its data transfer activities.
Meta’s predicament underlines several important features of GDPR and similar data protection regimes around the world, which all Australian businesses should heed:
- data protection compliance is no longer a question of just ticking boxes – modern regulations tend to be about achieving objectives rather than simply following rules;
- data protection rules can apply internationally and “extra-territorially” i.e. extending beyond the borders of a specific country;
- financial penalties for breaches can be eye-watering (typically up to 4% of global turnover) giving businesses a real incentive to take compliance seriously.
Meta has described itself as “disappointed” by this decision and has complained of being singled out for harsh treatment. While the DPC has denied this, it is probably fair to say that it has taken the opportunity to make an example of Meta in order to send a clear message to other businesses.
Updating the law
The current review of Australia’s privacy laws is likely to take the Privacy Act 1988 closer to GDPR in approach and outlook. Australian businesses that rely on international transfers of personal information need to be ready for changes in local laws over the next few months and years. In addition, they need to take note of how overseas regulations apply to their activities. There are right ways and wrong ways of transferring data internationally. Getting things right is not difficult but takes time and effort. Meanwhile, as Meta have found out, getting things wrong can prove to be catastrophically expensive.