Ireland fines Mita €1,200m, the largest European penalty for breach of privacy | technology

The Irish data regulator imposed the largest European privacy fine in history on Meta. Their number is 1200 million, according to the figure that was known this morningAnd They surpassed the 746th number of penalized Amazon in 2021, also for privacy-related issues. The penalty is due to the lack of security guarantees for European citizens in transferring their data to the US Like other big tech companies, Meta Europe is based in Ireland, with its national bodies responsible for regulation.

The decision coincides with the fifth anniversary of the entry into force of the European Union’s General Data Protection Regulation (GDPR), and was celebrated by the Council of European Regulators (EDPB, for its English acronym). The record fine, the largest yet in terms of the EU’s General Data Protection Regulation, is “a strong message to organizations that there have been serious breaches.” [de las normas europeas] It had far-reaching consequences, ”estimated the head of the European regulators, Andrea Jelinek. Jelinek said in a statement that the breaches committed by the Meta European headquarters in Ireland are “extremely serious”, given that they are “systematic, frequent and continuous” data transfers. He insisted that “ Facebook has millions of users in Europe, so the volume of personal data transfer is massive.”

The fine stems from revelations by Edward Snowden in 2013. Documents he leaked proved that US intelligence services had accessed the data of citizens of other countries through companies such as Google and Facebook. A lawsuit filed by Austrian lawyer and activist Max Schrems is at the root of the data transfer case.

Meta has already responded that this is not just their organization’s problem and that they plan to challenge the “unwarranted and unnecessary” fine: “This is not about a company’s privacy practices, there is a fundamental conflict of laws between US government rules on data access and European privacy rights, which Lawmakers are expected to resolve it this summer,” Meta’s head of global affairs, Nick Clegg, and company president, posted on the company’s blog. The legal department after hearing the decision. This agreement between the authorities that Meta expects is the DPF, and the Data Privacy Framework (Data Privacy Framework).And that should govern the transfer of data between the European Union and the United States.

For industry representatives, it is also imperative to close the transatlantic data agreement as soon as possible because, according to the Computer and Communications Industry Association (CCIA), the decision now made “ignores reality” and, in effect, “brings down the way the Internet works, from video conferencing to surfing the web.” To process online payments.

This legal uncertainty will continue as long as the new data transfer mechanism [entre EEUU y Europa] It has not been officially approved by the member states,” warned CCIA Europe Director Alexander Rohr.

A spokesperson for the European Commission in Brussels said the European executive “takes note” of Ireland’s decision and confirmed that the US-EU data protection framework should be in place “by summer”.

“This will ensure the security and legal guarantees that companies are looking for, while guaranteeing the strict protection of citizens’ private lives,” said spokesman Christian Wiegand. “The assurances that we negotiated with the United States and that we want to implement respond to the issues specifically identified in this case,” he said.

To understand the importance of these practices, one must remember this transformation Not only shipment of data to the US, but simple access from the US to data hosted on European servers,” says Jorge García Herrero, a data protection attorney.

The regulator also intends to block Meta from transferring data from Europe to the US and delete data that has already been sent. However, Meta is expected to avoid these consequences because European and US governments must sign the DPF, the agreement that regulates this data transfer between continents. “This order not to send any more data to the US in the future may not be particularly significant as we expect a new data agreement between the US and the EU very soon,” says Jonny Ryan, information rights officer at the Irish Council for Civil Liberties. The measure provides for a six-month transition period and Meta is likely to resume, which would lengthen its entry into force.

The fine, according to the Irish agency, depends on the use of a tool called a standard contractual clause. [SCC, en sus siglas en inglés] to transfer European data to the United States and that it does not “address risks to the fundamental freedoms and rights” of Facebook users in the European Union.

In January, Ireland had already fined Meta 390 million for the way it forced Facebook and Instagram users to accept its terms of service to use its networks. This time the penalty refers only to Facebook.

The impact of the data transfer ban goes beyond Facebook, which is the only network directly affected by the decision: “Meta will be required to suspend transfers of personal data from EU residents to the United States,” says Garcia Herrero. “The details of this penalty can affect many companies, except Mita.”

Other intrinsic details of the decision affect the deletion of data that has already been sent: “This is a new bombshell in itself: it seems clear that Meta does not have its systems designed in such a way that the European part can be removed cleanly,” adds García Herrero. But in Meta they are already warning that this requirement is subject to what appears to be an imminent agreement between governments: “We are pleased that the DPC [el regulador irlandés] You have also confirmed in your decision that there will be no suspension of transfers or any other action required by Meta, such as the requirement to delete Data Subjects’ Data from the European Union once the underlying conflict of laws has been resolved. This means that should the DPL come into force before the implementation deadlines expire, our services can continue as they do today without any interruption or impact on users.”

You can follow country technology in Facebook And Twitter Or sign up here to receive The weekly newsletter.