This update provides a summary of the ruling and other comparable fines under the GDPR. It provides a timely reminder of the restrictions under the GDPR on the transfer of data from Europe, as well as the benefits to New Zealand of our status as an “adequate” jurisdiction under the GDPR.
For further background on GDPR and the potential implications for New Zealand businesses, please see our previous updates here and here.
Overview of the case
The case concerns the transfer of personal data by Meta from the EU/EEA to the USA.
It dates back to the now infamous European Court of Justice (ECJ) judgment, known as “Schrems II”[1], also against Meta, in 2020. Schrems II repealed the EU-US Privacy Shield decision which, at that time, was relied on by Meta. That decision had previously provided a basis for free data flows to the US. It involved concerns over European users’ data not being sufficiently protected from US intelligence agencies when transferred to the US. The ECJ, at the time of its Schrems II decision, confirmed that GDPR Standard Contractual Clauses (preapproved model clauses) would continue to be valid subject to various legal safeguards.
Following Schrems II, Meta updated its practices, including to utilise the GDPR Standard Contractual Clauses in conjunction with additional supplementary measures. The Irish Data Protection Commission accepted that Meta had updated its practices in good faith but found that the updated arrangements implemented by Meta did not sufficiently address the risks to the fundamental rights and freedoms of data subjects that were identified in Schrems II.
Notably:
- The record fine was imposed by the European Data Protection Board – the decision was referred to the Board by the Irish Data Privacy Commission (as required under the GDPR, as a consensus could not be reached over the order that should be made in relation to Meta’s non-compliance).
- In setting the record fine, the Board emphasised that the infringement concerned transfers that were systematic, repetitive and continuous, as well as a large volume of data (relating to millions of Facebook users in Europe).
- The Board also ordered Meta (via the Irish Data Protection Commission) to bring its processing operations into compliance with the GDPR by, for example, “ceasing the unlawful processing, including storage, in the US of personal data of EU users transferred in violation of the GDPR” within six months (the implementation period).
Meta has announced that it intends to appeal both the substantive decision and the level of the fine, and that is will seek a suspension of the implementation period pending the outcome of the appeal.
Regulators’ response – Trans-Atlantic Data Privacy Framework
Meta has highlighted that thousands of other companies that provide services in Europe also use the same Standard Contractual Clauses as a basis for data flows. The basis on which those data flows are permissible (if at all) is far from clear.
In response to this issue, EU-US policymakers are currently progressing a Trans-Atlantic Data Privacy Framework. To avoid any disruption to is users, Meta is strongly advocating the progress of this framework and its commencement before the implementation period expires. EU and US officials have announced that they are targeting a commencement date in July 2023.
The Irish Data Protection Commission has confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data, once the Trans-Atlantic Data Privacy Framework has commenced.
Snapshot – increasing fines under the GDPR
The table below shows previous significant fines under the GDPR[2]. Before Meta’s record €1.2 billion fine, the previous record was a €746 million fine imposed on Amazon by Luxembourg’s privacy regulator in 2021.
Company |
Date |
Fine |
Country |
Relevant issue |
Meta Platforms Ireland Limited |
12 May 2023 |
€1.2 billion (NZ$2.1 billion) |
Ireland |
International data transfers from the EU to USA. |
Amazon Europe Core S.á.r.l. |
16 July 2021 |
€746 million (NZ$1.3 billion) |
Luxembourg |
Processing of customer personal data in connection with Amazon’s advertising targeting system (carried out without proper consent). Class action filed by 10,000 Amazon customers. |
Google LLC |
31 December 2021 |
€90 million (NZ$156 million) |
France |
Tracking users’ online activity (inconsistent with prior consent for the use of cookies). |
British Airways |
16 October 2020 |
Over €22 million (reduced from approximately €202 million) (NZ$38 million) |
United Kingdom |
Failure to implement adequate security measures (technical and organisational) to prevent a major data breach which affected more than 400,000 customers (both personal and credit data). |
Marriott International, Inc |
30 October 2020 |
Over €20 million (reduced from approximately €108 million) (NZ$ 35 million) |
United Kingdom |
Failure to implement adequate security measures (technical and organisational) to prevent and detect a major data breach (Marriott failed to detect its system was compromised for four years). The breach affected approx. 339 million guest records worldwide. |
*$NZ value is approximate only
Application to New Zealand
The ongoing issues with the free data flows to the US highlights the value to New Zealand of having the status of an “adequate jurisdiction” under the GDPR. This is, in effect, comparable to the proposed Trans-Atlantic Data Privacy Framework. It means that the restrictions on the transfer of data from the EU do not apply to data transfers to New Zealand. However, New Zealand’s status as an “adequate jurisdiction” is currently under review by the European Commission.
The Office of the Privacy Commissioner has lobbied for higher penalties under the Privacy Act and stronger powers for the Office of the Privacy Commissioner. The international trend of increasingly significant data protection fines, as well as the review of New Zealand’s status as an “adequate jurisdiction”, is likely to keep the penalties and powers under the Privacy Act on the agenda in New Zealand.
If you have any questions or require any other guidance, please contact our Consumer, Regulatory and Compliance (CRC) team or your usual Bell Gully advisor.
[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”), 16 July 2020 [2] https://www.enforcementtracker.com/