A preliminary deal between the US and EU, the Trans-Atlantic Data Privacy Framework, could relieve Meta of some obligations on storing data in the US if accepted by the EU soon. The framework added controls on access to Europeans’ data by US intelligence agencies to meet a privacy demand of the EU.
Regardless of the outcome of the Meta/Facebook case, the EU is sounding a militant tone on data privacy. “The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” European Data Protection Board Chair Andrea Jelinek said in a statement. European data regulators issued a record $1.8 billion in fines last year, a 50% increase from 2021, per a survey by law firm DLA Piper.
Assuming you’re processing data from European sources – how should you factor the Meta fine into your loss-exposure analysis?
Still, Justin sees some serious cautions for US-based international companies in the latest GDPR activity by regulators.
He says the three factors to watch are first, where your data analysts are located (US vs EU), second, what type of data they are storing, third what they are doing with it.
A case in point would be the GDPR fine of $877 million levied by the privacy authority in Luxembourg against Amazon for collecting user information without consent for the purpose of ad targeting – basically, Amazon’s business model. This could threaten the machine learning plans of US companies large and small; “based on the Amazon case it is entirely feasible that an international company could be using data improperly by training machine-learning algorithms, violating the regulations in the region that originated the data,” Justin says.
And it’s not like the US will be a haven from data privacy laws, Justin notes. “The Wild West days are ending here” for data collection Just this week, Indiana, Iowa, and Tennessee all passed state consumer privacy laws, making a total of eight states with such laws. American juries have not looked kindly on data-breach and other data-privacy defendants: According to RiskLens data science research, North American firms are 95% less likely to experience fines and judgement than their EU counterparts, but they will be 275% more costly when they incur.
RiskLens does extensive research into the probability and magnitude of legal fines and judgements for data breach and other cyber loss events. See how your industry ranks for loss exposure in fines and judgements: Try the My Cyber Risk Benchmark tool now.