Five years since GDPR enforcement started in 2018, the Irish data protection regulator issued the heftiest fine levied so far: €1.2 billion against Meta for violation of international data transfer requirements.
This is not the first time that European regulators have investigated how companies handle the transfer of personal information of EU citizens to the US. In fact, since the invalidation of Privacy Shield in 2020, companies of every size have struggled to comply with the requirements of the law. So many are still trying to figure this out! According to Forrester’s Business Privacy Survey, 2021, only 41% of US organizations said that they are compliant with international data transfer requirements. Surprisingly, as little as 31% of German organizations say the same, with 47% reporting that they are partially compliant. Almost half of the companies in Italy and France and 39% in the UK say that they are compliant with these requirements.
Look Beyond The Headline Hype
With so many companies still trying to find their path to compliance, this news of the GDPR fine against Meta is a wake-up call for many privacy and business leaders around the world. But with so much concern, it’s easy to pay attention to the wrong headlines.
- The fine: While this is the highest fine levied so far, it is still small for a company that reported $117 billion in revenues in 2022.
- The immediate impact: Beyond the fine, EU regulators have ordered Meta to suspend the transfer of personal data of EU citizens to the US. Meta has roughly until October 2023 to do so. US authorities and the EU Commission, however, are in the process of finalizing a new framework — the Data Privacy Framework — that allows organizations to lawfully transfer data across the Atlantic. Despite the negative opinion formally issued by both the European Parliament and the European Data Protection Board (EDPB) on it, it is still very likely that the EU Commission will adopt the new framework in the next few months. It means that Meta will comply with the new rules instead of suspending any transfers.
- The future of Meta’s business model in Europe: In the assessment of EU regulators, standard contractual clauses (SCCs) do not offer sufficient protection to the personal data that Meta transfers from the EU to the US, as well as other safeguards Meta leverages for the purpose of protecting the privacy right of users in the EU. In practice, they are asking Meta to change its operations to accommodate for any storage and processing of EU personal data within the EU, with only some exception to this rule. This would surely have a significant impact on the company, but — as I said before — most likely a new framework will be available in the next few months and Meta, as many other companies, will rely on it instead of SCCs for any transfers — at least, until the new framework lasts and it will be “business as usual.”
Privacy Leaders, Take Note
The regulator’s decision is significant, and privacy and business leaders around the world are right to be worried because:
- The decision went beyond the will and the assessment of a single regulator. Openly, the Irish regulator that formally issued the fine said that the decision was actually against their will. In fact, the EDPB, with a binding decision, forced the Irish regulator to fine Meta. And within the Board, some countries were particularly adamant on the decision. This is a rather rare occurrence, but it shows that European authorities have the power to come together to enforce their policies. If, in the past, companies would carefully choose the regulator that they preferred to interact with in the hope of a more lenient approach, this strategy will not work in the future.
- European authorities have the power and the guts to dismantle a company’s business model, regardless of its size. Assuming that the new data protection framework is available before November, Meta’s business in Europe is safe. Meta also announced that it will appeal the decision, which will buy the company more time before implementing the decision, just in case it needs it. But this decision shows that European authorities prioritize policies over companies’ economic interests, even when their decisions might bring disruption to users and reshape the market. Those that believe that certain enforcement actions are unlikely because of their disruptive market impact should think again.
- Privacy is risk management, not a rule booklet. With the invalidation of Privacy Shield in 2020, the EDPB introduced a new tool for companies’ compliance toolkits: the Transfer Impact Assessment (TIA). The idea is that, in addition to contractual remedies such as SCCs, every organization engaging in international data transfers must assess whether the transfers create risks to the data subjects and adopt adequate additional safeguards to mitigate the risks. For most organizations, these translate into encryption, robust policies for managing encryption keys, data pseudonymizations, and more rigorous governance as needed. But there is no definite list of controls that will make organizations completely sure that they are compliant. In fact, Meta argued that it leveraged the approach that the EDPB recommended and still got fined. Google Analytics found itself in a similar position. This is because not all transfers create the same risks and each organizations must figure out what’s right for their specific case.
Act Now To Mitigate Your Risk
If you are managing trans-Atlantic transfers of EU residents’ data, this is what the decision means for you:
- Ensure that you know when and how you transfer personal data of EU citizens to the US, and comply with the rules as appropriate. Leverage data flow maps to track your transfers across the Atlantic. Remember that rules apply to storage of data as well as processing of data. If it’s your case, review TIAs, make sure that the correct version of the SCCs is in place, and engage with your security team to ensure that your additional safeguards are adequate.
- Double down on third-party risk management. For most organizations, this decision means that they have to be disciplined with their third-party risk management practices. In fact, most often, transfers happen as part of cloud-based services or other products or services offered by third parties. Ensure that you review all direct and indirect transfers of your customers’ data via third parties. The shared responsibility model for cloud has become very common, but remember that liability sits with you, and it’s important that you understand and are comfortable with the terms of the agreements.
- Assess your dependency on transfers, focusing on operational impacts in case of suspension or disruption. Companies that engage in “systematic, bulk, repetitive, and continuous” transfers are most likely to create more significant risks that require particular treatment and attract regulatory scrutiny. Across your third-party ecosystem, assess where transfers are riskier and build a risk scenario that assumes suspension or disruption of those transfers. This exercise will help you prioritize management of your riskier third parties today and prepare a response if something goes wrong in the future.
If you have any questions about my research and insights on international data transfers or would like to discuss best practices and future developments, please schedule an inquiry.