In the largest fine yet under the European Union’s GDPR, the Irish Data Protection Commission fined Meta $1.3 billion for data privacy violations by its Facebook service in routinely transferring personal data on EU citizens to the US for storage. The GDPR enforcers gave Meta six months to change its data practices, in what would be a massive job.
A preliminary deal between the US and EU, the Trans-Atlantic Data Privacy Framework, could relieve Meta of some obligations on storing data in the US if accepted by the EU soon. The framework added controls on access to Europeans’ data by US intelligence agencies to meet a privacy demand of the EU.
Regardless of the outcome of the Meta/Facebook case, the EU is sounding a militant tone on data privacy. “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” European Data Protection Board Chair Andrea Jelinek said in a statement. European data regulators issued a record $1.8 billion in fines last year, a 50% increase from 2021, per a survey by law firm DLA Piper.
Assuming you’re processing data from European sources – how should you factor the Meta fine into your loss-exposure analysis?
"The fine is an outlier as Meta collects and stores large swaths of data," commented Justin Theriot, Data Science Manager for RiskLens. "No other company has such a rich dataset on European citizens. Moreover, that data enables the development and analysis of social-network graphs, a tool that can be used by intelligence agencies.” Other motivating factors for the regulatory action: The Irish Data Protection Commission had previously fined Meta for similar behavior, and no EU-US data privacy agreement is currently in effect.
Still, Justin sees some serious cautions for US-based international companies in the latest GDPR activity by regulators.
He says the three factors to watch are first, where your data analysts are located (US vs EU), second, what type of data they are storing, third what they are doing with it.
A case in point would be the GDPR fine of $877 million levied by the privacy authority in Luxembourg against Amazon for collecting user information without consent for the purpose of ad targeting – basically, Amazon’s business model. This could threaten the machine learning plans of US companies large and small; “based on the Amazon case it is entirely feasible that an international company could be using data improperly by training machine-learning algorithms, violating the regulations in the region that originated the data,” Justin says.
And it’s not like the US will be a haven from data privacy laws, Justin notes. “The Wild West days are ending here” for data collection Just this week, Indiana, Iowa, and Tennessee all passed state consumer privacy laws, making a total of eight states with such laws. American juries have not looked kindly on data-breach and other data-privacy defendants: According to RiskLens data science research, North American firms are 95% less likely to experience fines and judgement than their EU counterparts, but they will be 275% more costly when they incur.
RiskLens does extensive research into the probability and magnitude of legal fines and judgements for data breach and other cyber loss events. See how your industry ranks for loss exposure in fines and judgements: Try the My Cyber Risk Benchmark tool now.