Privacy, Data Security, Supply chain

Ireland slaps Meta with $1.3B fine over GDPR data privacy violations

A Meta logo is seen on a smartphone in front of a Facebook logo

Governments around the world continue to crack down on Meta’s dubious data practices, with Irish regulators issuing a record-breaking $1.3 billion fine after an investigation found Facebook was transferring users’ personal data in violation of the EU General Data Protection Regulation.

The fine, from the Irish Data Protection Authority, follows a European Data Protection Board dispute resolution on April 13 that revealed Meta was not complying with the stringent data privacy rule. The decision instructed the Ireland DPA to impose a fine on Meta, with the starting calculation between 20% and 100% of the applicable legal maximum.

The penalty is the largest issued under GDPR and is meant to reflect the egregious and repeated nature of the social media giant's shoddy data protection and privacy practices. Given that Facebook is used by millions of Europeans, “the volume of personal data transferred is massive,” explained Andrea Jelinek, EDPB Chair.

“Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said Jelinek, in a statement. “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”

The summary judgment notes the administrative fine is designed to “appropriately address the infringement committed in the past.” And the “suspension alone is not sufficient… the imposition of an administrative fine would have punitive effects that the suspension would not have.”

The fine stems from an investigation that was launched into Meta after a July 16, 2020, EU judgment against the company to resolve claims brought by privacy activist Max Schrems with the Irish Data Protection Commissioner in 2013. Schrems claimed that US laws didn’t offer adequate protection against government surveillance.

The court ruled against Meta and created a standard for which non-EU countries would need to meet to ensure an equivalent level of protection to GDPR and other data privacy laws.

Investigators sought to determine “the lawfulness of international transfers of personal data” by Meta of EU users who leveraged Facebook, pursuant to the July 2020 decision. After years of reviewing evidence provided by the company into its own policies, they confirmed “‘Meta does not have in place any supplemental measures which would compensate for the inadequate protection provided by US law.”

Further, “‘it’s necessary to exercise corrective powers in order to address the infringements identified’ and that ‘in all the circumstances, it is appropriate, necessary and proportionate to order the suspension of the data transfers… [under] GDPR.”

The penalty is designed to act as a deterrent to other companies and reaffirm the need for entities operating in the EU to take proactive measures to ensure compliance with the law.

Under the resolution decision, EDPB has ordered Meta to bring its data transfers into compliance with the GDPR. As per the initial resolution, the Ireland DPA ordered Meta IE to bring its processing operations into compliance GDPR, including putting an end to “the unlawful processing” and storage of European users in the US, which violated GDPR.

Meta has six months to bring its operations into compliance.

The fine is just the latest enforcement and regulatory action to spotlight the pervasiveness of Meta’s data practices. Earlier this month, the Federal Trade Commission accused the tech giant of failing to comply with its 2020 $5 billion data privacy settlement with the agency — the second violation since a 2012 order banned Facebook from misrepresenting its privacy practices.

The company recently asked the court to dismiss a massive class action suit filed by US consumers that claimed Meta is scraping hospital health data. Meta claims the responsibility of pixel use is on the entity and not the company. It’s unclear whether their defense will hold water, in light of the EU decision.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.