Meta facing third fine of 2023 for mishandling EU user data under GDPR

Meta is set to face what may be a record fine for failure to comply with the GDPR by shipping user data belonging to EU residents to the US without proper guarantees it would remain safe from inspection by authorities.

The fine, which is to be levied by Ireland's Data Protection Commission (DPC) against Zuckercorp, remains unknown as the DPC has yet to publish its decision in the case. Unnamed sources speaking to Bloomberg said they expect it to eclipse the €746 million ($805 million) fine data protection officials from Luxembourg charged to Amazon in 2021 for similar violations of the GDPR.

Along with ordering the reportedly record fine, the DPC's forthcoming decision will also block all of Facebook's data transfers from the EU to the US based on agreements questioned by the EU's top court, Bloomberg's sources said.

This is hardly the first time Meta has been fined by Irish officials over GDPR privacy violations. The DPC fined Meta €17 million ($18.6 million) in early 2022 for failing to protect user data, and €265 million ($275 million) later in the year over Facebook data being scraped and exposed online. 

So far in 2023, the DPC has fined Meta a combined €390 million ($414 million) for not getting consent to use personal data in Facebook and Instagram, and a further €5.5 million ($5.9 million) for similar violations in its WhatsApp secure messaging platform.

The DPC has not yet responded to requests for comment from The Register. However, DPC deputy commissioner Graham Doyle confirmed the fine with the newswire and said the DPC planned to publish it after Meta has had a chance to review the ruling for redaction.

Meta declined to comment, though sources in the company said reporting on the fine was still speculative and it expects a formal announcement this coming Monday.

Data transfer disagreements continue

Facebook's possible record fine is the latest salvo in an ongoing battle between the EU and US to hammer out regulations for transferring data in a manner that adheres to the GDPR and protects the data of EU citizens.

Max Schrems, the privacy campaigner and lawyer behind noyb, has been a key player in the battle to assure EU citizens' data isn't snooped upon by US officials once transferred overseas. Two cases Schrems brought before the EU sought to challenge data transfer rules between the EU and US, with the second case, colloquially known as "Schrems II," resulting in the striking down of Privacy Shield, a set of rules governing the transfer of EU citizen data to the US.

• EU-US Privacy Framework could make life easier for a data biz, if it survives
• Fresh GDPR ruling says even 'minor anxiety' could mean payouts for EU folks
• Major decision on GDPR compensation rights expected soon
• International cops urge Meta not to implement secure encryption for all

Schrems argued in his second case there were no suitable protections for EU citizens once their data was transferred to the US, where it could be freely accessed by various spy agencies and law enforcement with no recourse for Europeans – a line of argument familiar to US lawmakers.

President Biden signed an executive order in late 2022 to authorize the transatlantic Data Privacy Framework (DPF) to replace Privacy Shield, but Schrems has issues with that as well.

EU lawmakers have also raised concerns about the DPF, saying it still falls short of GDPR standards that would allow US companies to use EU citizens' data in manners incompatible with European privacy regulations. The DPF does nothing to prohibit bulk collection of data by signal intelligence agencies, as well as allowing the US president to expand the list of national security objectives under the rule without informing the public, EU officials said.

EU legislators objecting to the DPF urged the European Commission not to issue an adequacy decision regarding the law, which is an official recognition by the EU that a non-member country has adequate data protection decisions in place.

The European Commission issued a draft adequacy decision regarding the DPF in December, but both the EU Parliament's Committee on Civil Liberties, Justice and Home Affairs and the European Data Protection Board have found the DPF falls short on adequate protections for European citizens.

The Civil Liberties Committee again in April urged the European Commission not to grant a final adequacy decision, rumored to be planned for release in July. Of the vote by MEPs to adopt a resolution against the DPF, rapporteur Juan Fernando López Agular, an MEP from Spain, said the DPF is unlikely to survive a challenge in court and thus needs to be tossed out.

"The Commission must continue working to address the concerns raised by the European Data Protection Board and the Civil Liberties Committee even if that means reopening the negotiations with the US," Aguilar said. ®