The headline was clear: Meta fined record €1.2 billion by Irish regulator for violating European privacy rules. Alongside a fine that was a full 60 per cent higher than the previous record penalty imposed on a platform for its transgressions, Facebook’s parent was also ordered to suspend transfers of data on EU users to the US within five months and stop processing or storing data already transferred over recent years.
A landmark ruling in a landmark case and victory then for the guardians of our data. Not quite.
A reading of the actual final judgment by the Data Protection Commission – Ireland’s data privacy watchdog – makes clear that it was minded to impose a much milder slap on the wrist.
The agency, and its head, Helen Dixon, argued that it would be enough to simply tell Facebook not to send any more EU user data across the Atlantic. And her report noted that “a suspension order is more appropriate than a [permanent] ban [on such transfers] because, if measures become available to make the data transfers compliant, then the suspension could be re-considered”.
Your work questions answered: My hours have been cut but someone new has been hired. Can my employer do this?
Cliff Taylor: How the return of SSIA-style incentives might be on the cards for Irish households
From intern to CEO: does it pay to be a company lifer?
My remuneration ‘was substantial’: The interview transcript Derek Quinlan didn’t want made public
Speaking just after the Meta judgment, the European Commission said the EU expects to have a new agreement with the US to allow such transfers in place by the summer.
If that timeline is delivered, Facebook would effectively escape with no penalty at all.
The final DPC judgment confirms that it was only on the instruction of the European Data Protection Board – the gathering of EU data privacy regulators that must approve penalties for cross-border breaches – that she imposed any financial penalty, or required any action by Facebook on the years of data it has already transferred to the US in a manner that has subsequently been found to be illegal.
Rightly or wrongly, as the fifth anniversary of the General Data Protection Regulation (GDPR) approaches later this week, it gives the impression yet again of a regulator erring on the side of the transgressor rather than the wronged.
That can only reinforce the determination of regulators across Europe to press harder to strip the Irish regulator of its power to oversee investigation of complaints against Big Tech across international borders.