For several years now I’ve watched as the Irish Data Regulator has valiantly fought to sweep Meta’s sins under the carper.
There’s a long history of regulatory incompetence in Ireland, but I can’t help suspecting that this case has been driven more by the Data Protection Regulator wanting to keep Meta onboard and protecting the MNC rather than protecting the public.
A bit of background to this record fine.
Schrems battle with data regulators
Max Schrems, an Austrian privacy campaigner, paid three visits to the office of the Data Protection Commissioner when it oversaw Facebook, Google, Dropbox and the rest of big tech from above a shop in Portarlington, Co Laois. On his first visit, Schrems says an official gave him a 15-minute dressing down for criticising the DPC in press interviews.
On another occasion he was told no one was available to speak to him about a privacy complaint he had lodged. “I was like, ‘this is childish and I can be just as childish as you’,” he said. So the dogged Austrian phoned the DPC every hour, until finally an official texted to say no one would talk to him. “After that they didn’t really respond to any emails any more, even though there was an open, pending case,” Schrems claimed in 2018 in an interview with Frontline.
In 2014, Billy Hawkes, as data protection commissioner, rejected one of Schrems’s cases against Facebook as frivolous and vexatious. That decision was overturned by the courts, and the process finally concluded on Tuesday with the DPC fining Facebook’s owner Meta €1.2 billion for violations of European data privacy laws.
Schrems’s relationship with regulators has not improved. “We regularly have to sue DPAs [with costs of €2,000-€5,000 on average], to get ‘free’ GDPR complaints decided,” he tweeted after the Meta fine was announced.
Irish watchdog opposed €1.2bn Meta fine, saying it would have no ‘meaningful dissuasive effect’
Case centres on Facebook’s transfers of personal data to the US in defiance of EU law
*Meta, which plans a court appeal against the ruling, claimed it was flawed and unjustified. *
A record €1.2 billion fine against Facebook owner Meta for violating privacy law was imposed in the face of claims by Ireland’s data regulator that no financial sanction was needed.
The penalty against one of the world’s largest companies was imposed on Monday after Data Protection Commissioner Helen Dixon’s European counterparts dismissed her argument that a fine would have no “meaningful dissuasive effect” on Meta.
It was the biggest fine since Ms Dixon assumed sweeping powers in 2018 to supervise the European operations of large tech companies such as Meta, which have their EU headquarters in Ireland.
The regime was billed as a game-changer in the drive to control how business exploits consumers’ personal information, although critics say enforcement should be sharper and swifter.
Meta, which plans a court appeal against the ruling, claimed it was flawed and unjustified. But European regulators accused the company of “the highest degree of negligence” with personal data, as they instructed Ms Dixon to impose a large fine.
She is lead European Union regulator for Meta with responsibility for pan-European investigations into any violations of the data of hundreds of millions of users. Still, her conclusions must be approved by EU counterparts in a Brussels-based body called the European Data Protection Board (EDPB).
Records show Ms Dixon met a backlash from Austrian, German, French and Spanish regulators for saying there should be no financial penalty at all.
The case centres on Facebook transfers of personal data to the United States, in defiance of EU law after a 2020 European court ruling struck down the arrangements. The data included “photographs, videos or messages” and “everyday data of social interactions with family, friends, acquaintances and others”.
The social media giant, one of the State’s biggest taxpayers, has been directed to suspend any future transfers within five months. It must also cease within six months “unlawful” processing and storage in the US of European data.
The latest sanction against Meta brings its total EU sanctions for privacy violations to some €2.5 billion. But Ms Dixon had argued that a fine on top of an order to suspend the data transfers would not be proportionate.
“I expressed the view, in the draft decision, that the imposition of an administrative fine would not render the [Data Protection Commission’s] response to the findings of unlawfulness any more effective,” she said in case papers.
“Nor did I consider that, in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would have any meaningful dissuasive effect.”
Such assertions met resistance from four other regulators, who insisted on a fine when the case went to the European board. That body agreed, saying a suspension order alone would “not be enough to produce the specific deterrence effect necessary to discourage Meta” from continuing the infringements.
“The [EDPB] considers that, taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta [Ireland] committed an infringement of significant nature, gravity and duration,” it said.
“The EDPB takes the view that the imposition of an administrative fine in addition to the suspension order would have an important deterrence effect, which the imposition of a suspension order alone cannot have.”
An earlier wrangle between the Irish Data protection Commissioner and her EU colleagues.