2 Key Steps to Take to Avoiding a Similar Fate
The complications of avoiding breaches relating to the European Union GDPR were again laid bare this week. Meta’s platform Facebook received a record-breaking fine totaling $1.3 billion (1.2 billion EURO) imposed this week by Ireland’s Data Protection regulator, sending shockwaves around global business circles.
Regulators have given Meta five months to implement the suspension of Facebook data transfers from the EU to the US. Additionally, regulators gave them six months to cease processing (including storage) in the US of personal EU data already transferred.
The regulators imposed this substantial punishment after finding violations of EU privacy laws. Other major multinational companies have violated these laws. In 2021, Amazon faced charges and fines amounting to $805.7 million (746 million EURO) for similar breaches.
Meta’s EU base is in Ireland, and the company claimed that an Irish regulator had wrongly “singled out” Meta. Meta asserted that Facebook was sanctioned for relying upon the same data transfer mechanism used by thousands of other companies. The Irish regulator has now said that SCCs give insufficient protection for data transferred to the US. They assert that US intelligence agencies do not sufficiently protect European users’ data when it is transferred across the Atlantic. Additionally, regulators cited concerns arising from the Edward Snowden revelations.
Meta is launching an appeal against the penalty and the regulator’s findings.
Let’s examine two key steps to help avoid falling into the traps Meta has faced this week.
Step 1: Don’t drop the homework.
Since the passing of the EU’s signature GDPR law on May 25, 2018, compliance issues around data protection in the EU and any country receiving EU residents’ data have become a slippery slope. There are 98 articles outlining the framework in place for the GDPR. GDPR is a highly complex and detailed law. In fact, GDPR is one of the most extensive pieces of legislation of any nature the EU has passed in the past 50 years. The requirement from policymakers is that you are fully aware of and compliant with every aspect of the GDPR and are ready to maintain its many internal and external data policies and other legal compliance requirements from the word go.
The GDPR legislation is so complex and voluminous that achieving compliance without specialist input and assistance is impossible. HSP is well-positioned to advise on all aspects of GDPR (and other global data protection frameworks). HSP’s specialist in-house privacy counsel has advised extensively on every aspect of the GDPR since its inception in 2018 and has experience advising on data protection issues in over 140 countries worldwide.
Step 2: Act as if your headquarters are in the EU.
The jurisdiction of the EU in enforcing GDPR is not location-exempt. The GDPR has “extra-territorial jurisdiction,” which means that the EU regulators can pursue infringements of the GDPR against any organization in the world, even if that organization has no presence and no employees in the EU. Suppose you collect (or “process’) any EU residents’ personal information/data. In that case, you are subject to the full compliance requirements (and potentially the full range of sanctions) of the GDPR, no matter where you are located.
Meta emphasized the importance of data sharing between the US and EU. They consider a “global open internet” as vital for offering goods and services worldwide, referring to progress made in addressing EU concerns over US data surveillance.
These may or may not be valid geopolitical points. As of now, they remain separate from the absolute requirement for strict compliance with the GDPR within the EU. You, too, could potentially be subject to draconian penalties if you collect the data of any EU residents and are not FULLY compliant with all aspects of the GDPR. Organizations must review their position and take urgent steps to address any current non-compliance with the GDPR.
Work with experts
HSP Group offers the expertise you need to stay compliant with GDPR across all your organizational practices to help avoid the operational, commercial, financial, and reputational damage that will result from sanctions for infringements. We specialize in helping companies just like yours expand internationally with ease. Whether you need GDPR advice for the EU or UK or any other data protection service for other countries globally, we tailor our engagement to your needs. We will be happy to discuss any aspect of that service with you.
About the author: Paul Sutton is an HSP General Counsel and one of the UK’s most experienced data privacy lawyers. He has advised on data protection requirements and compliance in around 140 countries. Contact Paul at psutton@hsp.com
