Meta faces GDPR penalty on top of order to halt data transfers

Meta is getting ready for the cessation of its EU-U.S. data transfers, as well as a fine for violating the EU General Data Protection Regulation, according to filings made with the U.S. Securities and Exchange Commission. 

In its Q1 2023 Form Q-10 and Q1 2023 earnings report, the company informed investors about the consequences of the forthcoming final verdict from Ireland’s Data Protection Commission on the legitimacy of its EU-U.S. data transfers. 

The DPC order is set to be officially released by 12 May, and if an adequacy decision via the proposed EU-U.S. Data Privacy Framework is not granted before the order takes effect, it could force Meta to stop its EU operations. Furthermore, the social media giant is preparing for a potentially significant monetary penalty, as well as remedial measures from the DPC after getting recommendations from the European Data Protection Board.

In its earnings report, Meta outlined its expectation of the Irish DPC to make a decision this month in “its previously disclosed inquiry relating to transatlantic data transfers of Facebook EU/EEA user data, including a suspension order for such transfers and a fine.”

“We expect that the deadlines to comply with the (DPC) decision will be no earlier than the fourth quarter of 2023…Once the final decision is issued, we will have an opportunity to appeal and seek a stay,” Meta said, adding its fears that the charge will be “substantial.”

Caitlin Fennessy, the IAPP Vice President and Chief Knowledge Officer stated that the anticipated cessation of transfers order and any subsequent remedial actions that are yet to be revealed might have a more significant impact than even a record fine. 

She added that restricted data flows and the subsequent changes in the data-driven business model could have far-reaching financial repercussions for Meta and numerous other firms. Meta’s transfer challenges stand to be resolved by when a new data transfer mechanism comes in to replace the EU-U.S. Privacy Shield Framework. 

The pathway towards finishing a new mechanism remains uncertain as the European Commission strives to reach a final adequacy decision with the U.S. under the proposed EU-U.S. DPF. 

Previously, European Commissioner for Justice Didier Reynders hinted that the DPF might be concluded as soon as July, which could be appropriate timing if the order includes a three-month implementation window, as some previous orders have done. 

“Our ongoing consultations with policymakers on both sides of the Atlantic continue to indicate that the proposed new EU-U.S. Data Privacy Framework will be fully implemented before the deadline for suspension of such transfers, but we cannot exclude the possibility that it will not be completed in time. We will also evaluate whether and to what extent the (DPC) decision could otherwise impact our data processing operations even after a new data privacy framework is in force,” Meta said.