In May, Meta was fined a record-breaking €1.2bn ($1.3bn) for mishandling citizen data when transferring it between Europe and the United States. The penalty was issued by Ireland’s Data Protection Commission (DPC) and is the largest fine imposed so far under the EU’s General Data Protection Regulation (GDPR) privacy law. This comes just as the GDPR marked its fifth anniversary on May 25, 2023. Meta is appealing against the fine, claiming it is unjustified and unnecessary. Increasingly, fines are targeted at non-EU countries and companies, so post-Brexit, what does this latest ruling mean for UK plc?
Standard T&Cs May no Longer be Deemed a Defense
At the heart of this decision is using standard contractual clauses to move EU data to the US. These legal contracts, prepared by the European Commission, contain safeguards to ensure personal data continues to be protected when transferred outside Europe. But there are concerns these data flows still expose European citizens to weaker privacy laws in the US. The decision shows that Meta’s standard contractual terms didn’t adequately protect the company. In other words, where Meta thought it was compliant, this was not the case, which means the standard T&Cs most, if not all, companies are using as part of their defense may be deemed non-compliant.
Ultimately this fine and Meta’s data suspension shift the needle on the importance of data protection to businesses everywhere. It firmly cements data protection as not a nice to have but a necessity for operation, which every organization must take seriously.
Fines in the billions have only previously been reserved for the worst breaches of responsibility. The €1.2bn figure casts a large shadow over the previous EU record fine of €746m ($877m) handed to Amazon. That the figure is comparable to the money laundering scandals of Westpac ($1.3bn), Danske Bank ($2bn) and HSBC ($1.9bn) only further highlights the importance of this decision to the future of data protection and EU-US data flows.
A Ripple Effect Across Industries
The decision will have implications that will ripple far beyond the technology ecosystem. Industries heavily reliant on this type of data flow, particularly supply chain, manufacturing, financial services and petroleum/chemical, will now be considering their use of data more than ever before. And unlike Meta, for many of these organizations, a fine of this magnitude and a data blackout could have serious implications – ones they may not survive.
What is becoming clear from this fine and others in the past years is that the EU is happy to penalize non-EU companies. Evidence to date points to this. The total GDPR fines amount to €4bn ($4.3bn). Ireland’s total is €2.5bn, of which Meta is €2.2bn (including WhatsApp). The second largest fine was issued by Luxembourg, at €750m, again against a non-EU company, Amazon.
Of course, Ireland doesn’t want to deter technology companies like Meta and Amazon from operating in the country, but clearly, the EU has pressured the Irish regulatory authorities to increase fines to the current rate.
It is interesting to analyze where the EU has levied the most fines to date. The fact is that around 75% have been on non-EU companies and countries. The EU is stamping its authority where it can and, outside of the EU, coming down heavy where companies and countries are deemed too lenient. Hence one must assume that UK plc will also come under further scrutiny due to Brexit, as we will be perceived as competitive to EU business and fall into the non-EU bracket.
Companies Will Make a Judgement Call on Fines
The Meta (Facebook) fine of €1.2bn is small change when considering their annual revenues are $116bn. Given that Meta recently changed from a four-year to a five-year amortization model, the fine will cost $260m annually, equivalent to 0.002% of revenue. If we look at the case of Nike’s Air Jordan trainers, this demonstrates how organizations may opt to be non-compliant and just pay the fine. Nike took the decision to make Michael Jordan’s trainers non-white and to pay the fine every time he played a game.
However, the fines themselves aren’t the big issue. Breaking data products is the issue that will have a bigger effect on those data-heavy industries mentioned above.
The Meta fine will likely create a step-change to this approach, as the area where it will have the most significant impact is on Meta’s annual advertising revenues ($113bn). Any change that weakens the company’s advertising businesses’ profitability has a far greater bearing than any fine might have. For example, this means that its global dataset is no longer global, so Meta may be forced to change its advertising products. Longer term, this could have a huge influence on technology organizations in the way that they develop their data products. Meta’s advertising capability is its crown jewel, and if this latest ruling prevents it from having a data product or prohibits the data it collects, this could be seriously detrimental to revenue. Also, it could have a similar effect on other industries where data is a product or an asset, so pharmaceutical companies, global supply chains, financial services and many other industries need to consider this.
Understanding How Cross-Border Data Flows
At the end of the day, the EU doesn’t want to prevent companies from doing business or destroy businesses, but it must levy fines where data privacy is deemed to be at risk. This could put certain industries that are not as advanced as technology or financial services companies, such as pharmaceutical and supply chain firms, at significant risk if their cross-border data flows are deemed non-compliant.
It will be interesting to watch this space and how the Meta ruling continues to unfold.
Image credit: mundissima / Shutterstock.com