Facebook's parent company, Meta, was hit with a record-breaking fine from the Irish data-protection authority for sending data to the US without any privacy necessary protections. It has violated the requirements of the EU's General Data Protection Regulation.
According to a statement from the the Irish data-protection authority, Meta has not addressed the dangers to the basic freedoms and rights of Facebook users in Europe. Along with to the penalty, Meta has also been given a five-month period to stop sending Facebook data through waht is known as standard contractual clauses to the US.
As the Court of Justice of EU determined that the established Privacy Shield agreement which was to facilitate the transfer of data did not adequately secure data from the United States spy agencies, companies have utilized SCCs to transmit EU data to the US. The judgement, which came down in 2020, invalidated the agreement and imposed stricter guidelines for the application of SCCs, a different legal mechanism that was also frequently employed by businesses to send data to the US.
The European Court of Justice stated that data processors or controllers that will be transmitting data on the basis of SCCs must guarantee the data subject gets an adequate degree of protection roughly comparable to that assured by the General Data Protection Regulation and the European Union Charter of Fundamental Rights in its decision to invalidate Privacy Shield and tighten regulations surrounding SCCs.
The Irish data-protection authority asserted that Meta's SCCs, however, do not shield EU people' data from the US government's mass surveillance activities, thereby raising doubts about any company's capacity to send EU people' data to the United States.
Among other problems, neither EU nor US data subjects had any means by which they could be informed as to whether their private data is being gathered or further processed, and there are no chances to get access to, correction of, or deletion of data.
Nick Clegg, previously the leader of UK Liberal Democrats and currently Meta president of global affairs, and chief legal officer, Jennifer Newstead expressed in a blog that the essential conflict existing between the US government's regulations on accessing data and the rights to privacy of Europeans is not a problem that Meta or any other company could solve on their own.
In addition, he stated that Meta felt disappointed that it has been singled out considering that hundreds of other businesses had been use the same SCCs. Consequently, Meta will challenge the decision along with what it called an unnecessary and unjustified fine.
The fine, which surpasses the $877 million is the highest ever issued by a Europe assessed against Amazon in year 2021 for comparable privacy infractions, .
Nigel Jones, co-founder of the Privacy Compliance Hub and a supplier of privacy compliance technology, noted that the necessity to discontinue the storage of private data of EU citizens that it transmitted illegally is a huge administrative, technical, and financial task to carry out. In the allotted period, it is hard to predict how Meta could possibly stop the transfers and make its procedures in line with the law.
New agreement for data transfer to replace Privacy Shield
In October of 2022, two years following the US Supreme Court declared Privacy Shield to be unenforceable, US President issued an executive order establishing the guidelines for new EU-US data transfer agreement, namely the Trans-Atlantic Data Privacy Framework.
Though EU Commission stated in December of 2022 that the regulation offers privacy protection equivalent to that of the EU, many MPs must still comment on the accord before it can be officially adopted.
A committee made up of representatives from the member states of EU and the European Parliament, which has the right to review adequacy determinations, must also approve the EU Commission's request after approval by the European Data Protection Board. Only after that will the Commission be able to officially adopt the Act.
If adopted, the framework would require US businesses to abide by a complex set of privacy rules, which would include demands that personal data be deleted once it is no longer required for the purposes when it was obtained and that third parties receive continuous protection when their information is shared. In essence, the rules are meant to guarantee that data transfer between EU and the US complies with the EU's GDPR rules on privacy.