In a shocking turn of events, an Ireland court ruled that Meta, the company that owns among others the social media giant Facebook was in violation of GDPR regulations. They have ordered the company to pay 1.2 billion Euros and is forcing the company to suspend its European data streams.
GDPR, or the General Data Protection Regulation, was the first of its kind law when it was ratified in 2016 and enforced in 2018. The GDPR establishes the general obligations of data controllers and of those processing personal data on their behalf (processors). The include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform. Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer. (1)
The law makes it difficult for companies to mislead consumers with confusing or vague language when they visit their websites. It also ensures:
- Website visitors are notified of the data collected.
- Visitors explicitly consent to that information-gathering by clicking on a button or some other action.
- Sites notify visitors in a timely way if any of their personal data held by the site is ever breached.
- There is a mandated assessment of the site's data security.
- Whether a dedicated data protection officer (DPO) needs to be hired or an existing staffer can carry out this function. (2)
The biggest thing to note is that the GDPR is not limited to just Continental Europe. It is Any business that works in Europe, whether they be based in Italy or the US. When a company is found to be in violation of said regulation, such as not securing their customers data or informing people in a timely matter they are fined up to 4% of their previous year’s revenue. This forces companies to amend their policies to comply with the data regulation.
In Meta’s case, they were sending data from Europe to countries outside the continent, most notably the US. This data stream was not secured to the satisfaction of regulators and as a result fined the social media giant. This was not the first time that a tech giant got hit with a fine like this as Amazon in 2021 was hit with a 636 million Euro fine.(3)
The biggest take away from this is that without an appeal, Meta will be forced to suspend their data streams coming from Europe by the end of the year. Europe provides ten percent of their revenue, for their services to be suspended would take a dent into their finances. There is a potential risk that Meta might have to pull out of Europe entirely.
In a comment by Meta spokesperson Matthew Pollard, he declined to give specific comments about the verdict. “Instead, he pointed back to an earlier statement in which the company claimed the case relates to a “historic conflict of EU and US law” which it suggested is in the process of being resolved by EU and US lawmakers who are working on a new transatlantic data transfer arrangement. However the rebooted transatlantic data framework Pollard referred to has yet to be adopted. (1)
Meta has from the time of the court ruling, five months to either suspend their data streams or prove to regulators that they can protect their user’s data. This is a big issue from both Meta’s revenue sources and from a civilian perspective. Without Europe, Meta supposedly loses 10 percent of their revenue from data streams and ad revenue. And with their service suspended, European accounts will be shut down, potentially depriving people of access to a more global audience.