Meta’s record €1.2bn fine came over objections of Ireland’s regulator, which didn’t want a fine
Meta’s huge €1.2bn fine for Facebook data transfers to the US came about over the objections of the Irish data regulator, according to Europe’s data protection oversight authority.
Helen Dixon’s office had not initially included a significant fine, arguing that it would be “disproportionate” and serve little point on top of the main sanction of data suspensions. Her office also argued that it would be out of kilter with other regulatory precedents.
However, the European Data Protection Board (EDPB) overruled the Irish data regulator, arguing that Meta’s infringement was of such a “significant nature, gravity and duration” that it deserved a big fine.
It’s not the first time that the Irish regulator has seen its recommendation on a proposed fine revised upwards on foot of objections from other European data protection authorities.
Under European law, the Irish office was obliged to circulate details of its draft decision to other European data protection regulators in advance of a final public verdict.
However, four of the 47 European regulators took issue with the Irish watchdog’s position, appealing it to the EDPB for mediation. The objectors’ main issues were that there was no fine and that Meta did not have to delete any data on US servers.
The EDPB agreed with the objectors, saying that Meta’s transgression deserved a substantial fine in addition to other “corrective” measures. It then ordered the Irish office to amend its decision and include a big fine.
“The [Irish regulator] takes the view that the imposition of an administrative fine in addition to an order directing the suspension of the data transfers would not be effective, proportionate and dissuasive,” the European Data Protection Board said in its ruling.
“[The Irish office said that a fine] would not render the DPC's response to the findings of unlawfulness any more effective.”
The European body quoted the Irish office’s draft decision, which said that “'in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would [not] have any meaningful dissuasive effect, particularly when set against the consequences said to attach to an order directing the suspension of transfers”.
But regulators from Germany, France, Spain and Austria disagreed.
“Not imposing a fine on Meta Ireland would demonstrate to controllers – including Meta Ireland – that past infringements of the GDPR will not be properly addressed and that the enforcement of the GDPR and its provisions is not as effective,” according to the Austrian data regulator, in its statement of objection to Ireland’s draft decision.
“There would be little incentive to bring processing in connection with the transfer of personal data to a third country in compliance with the GDPR. Since Meta is the provider of the biggest global social media network with an enormous number of users within the European Union and thus affected persons, not properly addressing the identified infringement… would generally weaken the position of the supervisory authorities and endanger compliance with the GDPR on a general level.”
In a statement today, the Irish DPC said that it had initially disagreed with calls for an administrative fine and the deletion of EU user data in the US, because “the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being appropriate, proportionate and necessary” to address the infringement”.
Her office had also argued that other GDPR infringements sustained against Google, in cases initiated by the Austrian campaigner Max Schrems, did not attract significant fines.
However, it said that following the EDPB’s ruling on the matter, it then assessed the size of the fine at €1.2bn.