Facebook (OK, Meta) just lost out big time with a fine of €1.2bn and orders to suspend transfers of personal data on EEA users to the USA within 5 months and stop processing (even just storing) previously transferred data within 5 months. This is part of the painfully slow but hugely important race between:
In this post we’re focussing on the DPC’s history of fining Meta – to the tune of €2.5bn over the last 3 years – why those fines have been issued, and how this immense €1.2bn decision published on 22 May 2023 (and it is physically immense, 222 pages) fits in.
We’ll also look at how European GDPR fines compare to the USA Privacy regime, and how GDPR fines compare to the Finance sector.
See the sister blog with our CEO’s article for Thomson Reuters on the context of the decision and key takeaways for practitioners.
Taken together, the DPC’s fines on Meta due to GDPR infringements by WhatsApp, Instagram and Facebook total a whopping €2.5bn in the last 3 years alone. And other EEA data protection authorities (DPAs) argue Ireland isn’t doing enough enforcement.
Here’s how those fines break down. It’s interesting to note the range of topics as well as how the inquiries originally started:
In a separate post, first published on Thomson Reuters and which we’ll post here shortly, we dig into the key takeaways from the decision, and how this might impact your own Privacy Governance at your organisation. But now, let’s see how Ireland fares against the rest of the EEA – it’s a rather ‘intense’ relationship – and then how Europe’s GDPR fines compare to the USA and to fines under the Finance regs.
Looking at the figures, you can see only €17m was about breaches, or 0.67% of the fines. Over €2.4bn of this €2.5bn total, or more than 99.3%, had nothing to do with Security.
Yes, Security is 1 of GDPR’s 7 Principles, but it is only 1 of 7 and Privacy is about more than Security – indeed, more than GDPR.
According to DLA Piper’s GDPR fines and data breach survey: January 2023 (which starts the year at 28 January):
2022 was another record year with an aggregate of EUR1.64bn (USD1.74bn/ GBP1.43bn) GDPR fines reported across Europe [EEA 30 + UK]. The aggregate value of fines issued in 2022 was 50% more than the value of fines reported in 2021.
And remember, we’ve just seen that €390m of that 2022 figure was the DPC ‘forced consent’ fines on Facebook and Instagram.
These numbers mean that:
You can’t argue that the DPC isn’t fining! But a lot of the decisions above were the result of the Article 60 cooperation procedure in which several other DPAs disagreed with the DPC and, in the end, so did the EDPB, ordering the DPC to increase fines, give fines, or make orders such as the order not to process historically transferred data in the May 2023 decision.
A close read of the decisions is needed to fully understand the DPC’s reasons and what the objections by other DPAs and the EDPB were based on.
But one thing is certain, these are immense numbers.
How about comparing the EEA with the USA? Well, we have a pretty good comparator as Facebook was fined $5bn by the FTC over the Cambridge Analytica matter in 2019. As well as the record-breaking penalty, Facebook had to “submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information“.
Admittedly that size of fine is rare in the USA as well, but the FTC is taking a much more proactive approach on Privacy violations in recent months.
As further perspective on GDPR fines, let’s look at 2022’s fines under Finance regulations.
And in the USA, in December 2022, the US Department of Justice (DoJ) came out with this headline: “Danske Bank Pleads Guilty to Fraud on U.S. Banks in Multi-Billion Dollar Scheme to Access the U.S. Financial System“. Danske Bank plead guilty to defrauding US banks. The penalty? Just over $2bn. That’s less than the DPC has fined Meta in aggregate in the last 3 years and not far off the DPC penalty on Meta this month.
Do you know all your transfers? Or all your processors? Keepabl’s Privacy Management Software is your out of the box Privacy Framework that leads you through the process, identifying all the loose ends, pulling it all together in instant reports and visuals.
Why not arrange your demo today!
On 21 January 2019, the French Data Protection Authority (CNIL) hit Google LLC with an incredible fine of €50m. Implications of the decision for online account management and marketing will…
The Schrems II decision came out nearly 2 years ago, on 16 July 2020. Given the enormous data flows from the EEA and UK to the USA, and many unanswered…