Meta Ireland's €1.2bn GDPR fine takes them to €2.5bn in total

Facebook (OK, Meta) just lost out big time with a fine of €1.2bn and orders to suspend transfers of personal data on EEA users to the USA within 5 months and stop processing (even just storing) previously transferred data within 5 months. This is part of the painfully slow but hugely important race between:

• the Irish DPC’s investigation into Facebook’s use of SCCs, and
• the US-EU efforts to replace Privacy Shield.

Just to put that €1.2bn single fine and €2.5bn aggregate number into perspective: the UK’s Defence budget in 2023 is £32.4 billion.

In this post we’re focussing on the DPC’s history of fining Meta – to the tune of €2.5bn over the last 3 years – why those fines have been issued, and how this immense €1.2bn decision published on 22 May 2023 (and it is physically immense, 222 pages) fits in.

We’ll also look at how European GDPR fines compare to the USA Privacy regime, and how GDPR fines compare to the Finance sector.

See the sister blog with our CEO’s article for Thomson Reuters on the context of the decision and key takeaways for practitioners.

Ireland fines Meta €2.5bn in 3 years

Taken together, the DPC’s fines on Meta due to GDPR infringements by WhatsApp, Instagram and Facebook total a whopping €2.5bn in the last 3 years alone. And other EEA data protection authorities (DPAs) argue Ireland isn’t doing enough enforcement.

Here’s how those fines break down. It’s interesting to note the range of topics as well as how the inquiries originally started:

• August 2021: WhatsApp – Transparency – €225m. One of the largest GDPR fines until overtaken by Luxembourg’s €746m Amazon fine. Another very long decision at 266 pages focussed on use of phone numbers and transparency in the information given to users in their Privacy Notices, Policies and other documents.
• March 2022: Facebook – Breach – €17m. The smaller fine (can one say €17m is in any way small?) followed an inquiry by the DPC into a series of 12 data breach notifications it received in the six-month period between 7 June 2018 and 4 December 2018.
• September 2022: Instagram – Children – €405m. This massive fine followed an own-volition inquiry by the DPC (and the May 2023 €1.2 Bn fines was also after an own-volition inquiry) into children’s ability to open personal and business Instagram accounts and how their data was made public and otherwise processed.
• November 2022: Facebook – Data Scraping – €265m. Another huge fine. The inquiry here started because of media reports of “a collated dataset of Facebook personal data that had been made available on the internet”. The DPC examined Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in the period from 25 May 2018 to 2019.
• December 2022: Instagram – ‘Forced Consent’ – €180m. Issued on 31 December 2022 and published by the DPC in January 2023 together with the Facebook fine below for the same thing, so they’re often reported together as a €390m fine. This was based on a complaint made by Max Schrems’s organisation NOYB to the Belgian DPA on 25 May 2018, the day GDPR took effect, and it was referred to the DPC as lead Supervisory Authority (SA). Both decisions were about legal basis: could Instagram switch from using consent for eg targeted advertising and instead make that necessary for the contract with its users. DPC said yes, EDPB said no, DPC had to say no.
• December 2022: Facebook – ‘Forced Consent’ – €210m. Published with the Insta decision, this was based on a complaint out of Austria (the DPC notes that Max Schrems / NOYB was a representative of the complainant) and referred by the Austrian DPA on 30 May 2018 just days after GDPR took effect. Same as Insta above, all about legal basis and swapping consent with contract, same result.
• January 2023: WhatsApp – Legal Basis – €5.5m. That’s not a typo, it was “only” €5.5m. The decision is still 112 pages long. The fine was “small” as the Privacy Policy and time period were the same as for the Transparency Decision in August 2021, and WhatsApp had already moved that processing into compliance. This inquiry was based on a complaint out of Hamburg, again with Max Schrems / NOYB as a representative, and again referred to the DPC as lead SA. It was also partly a transparency decision, but mainly held that ‘necessary for contract’ wasn’t an available legal basis for “processing of personal data for the purposes of service improvement and security features (excluding processing for the purpose of “IT Security” as defined by paragraph 90 of the Article 65 Decision)“.
• May 2023: Facebook – Transfers – €1.2bn. And now we come to this month’s immense fine. This was another own-volition inquiry by the DPC started in August 2020, just one month after the Schrems II decision. The inquiry focussed on Meta Ireland’s use of the standard EU SCCs (both the 2010 and 2021 versions) to transfer personal data of EEA Facebook users to the USA. The DPC decided that the SCCs, even combined with the extensive supplemental measures that Meta IE put in place, did not compensate for US surveillance laws to provide an adequate level of protection.

In a separate post, first published on Thomson Reuters and which we’ll post here shortly, we dig into the key takeaways from the decision, and how this might impact your own Privacy Governance at your organisation. But now, let’s see how Ireland fares against the rest of the EEA – it’s a rather ‘intense’ relationship – and then how Europe’s GDPR fines compare to the USA and to fines under the Finance regs.

Only 0.7% was about Security

Looking at the figures, you can see only €17m was about breaches, or 0.67% of the fines. Over €2.4bn of this €2.5bn total, or more than 99.3%, had nothing to do with Security.

Yes, Security is 1 of GDPR’s 7 Principles, but it is only 1 of 7 and Privacy is about more than Security – indeed, more than GDPR.

Ireland vs the rest of the EEA

According to DLA Piper’s GDPR fines and data breach survey: January 2023 (which starts the year at 28 January):

2022 was another record year with an aggregate of EUR1.64bn (USD1.74bn/ GBP1.43bn) GDPR fines reported across Europe [EEA 30 + UK]. The aggregate value of fines issued in 2022 was 50% more than the value of fines reported in 2021.

And remember, we’ve just seen that €390m of that 2022 figure was the DPC ‘forced consent’ fines on Facebook and Instagram.

These numbers mean that:

• the DPC’s single May 2023 fine on Meta IE was bigger than all GDPR fines in the EEA 30 + UK in 2021 ,
• the DPC’s aggregate fines on Meta across all services are twice as big as all 2021 GDPR fines in the EEA 30 + UK, and
• the DPC’s aggregate fines on Meta across all services are 50% bigger than all 2022 GDPR fines in the EEA 30 + UK.

You can’t argue that the DPC isn’t fining! But a lot of the decisions above were the result of the Article 60 cooperation procedure in which several other DPAs disagreed with the DPC and, in the end, so did the EDPB, ordering the DPC to increase fines, give fines, or make orders such as the order not to process historically transferred data in the May 2023 decision.

A close read of the decisions is needed to fully understand the DPC’s reasons and what the objections by other DPAs and the EDPB were based on.

But one thing is certain, these are immense numbers.

Europe v the USA

How about comparing the EEA with the USA? Well, we have a pretty good comparator as Facebook was fined $5bn by the FTC over the Cambridge Analytica matter in 2019. As well as the record-breaking penalty, Facebook had to “submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information“.

Admittedly that size of fine is rare in the USA as well, but the FTC is taking a much more proactive approach on Privacy violations in recent months.

GDPR v Financial Regs

As further perspective on GDPR fines, let’s look at 2022’s fines under Finance regulations.

• The UK FCA states that it issued fines totalling £215m (that’s £0.215bn) in 2022, with the biggest being £107m against Santander UK for “weaknesses in its AML framework [which] meant that Santander UK failed to manage adequately the money laundering risks presented by its Business Banking customers.”
• Germany’s financial regulators are reported to have issued €25m of fines in 2022, France’s €95m and the Dutch £900k.

And in the USA, in December 2022, the US Department of Justice (DoJ) came out with this headline: “Danske Bank Pleads Guilty to Fraud on U.S. Banks in Multi-Billion Dollar Scheme to Access the U.S. Financial System“. Danske Bank plead guilty to defrauding US banks. The penalty? Just over $2bn. That’s less than the DPC has fined Meta in aggregate in the last 3 years and not far off the DPC penalty on Meta this month.

How Keepabl can help

Do you know all your transfers? Or all your processors? Keepabl’s Privacy Management Software is your out of the box Privacy Framework that leads you through the process, identifying all the loose ends, pulling it all together in instant reports and visuals.

Why not arrange your demo today!