Meta receives record fine for breach of privacy

It bards for Facebook! Meta, Mark Zuckerberg’s company, has been fined 1.2 billion euros by the Irish regulator for violating European data protection rules (GDPR) with its Facebook social network, the highest fine ever imposed in Europe for this type of offence. Meta, which intends to appeal, is condemned for having “continued to transfer personal data” of users from the European Economic Area (EEA) to the United States in violation of European rules in the matter, indicated in its decision the Irish Data Protection Commission (DPC), which acts on behalf of the EU. Meta must also “suspend any transfer of personal data to the United States within five months” of notification of this decision and must comply with the GDPR within six months, added the DPC. This sanction, the highest imposed by a data protection regulator in Europe, the DPC told AFP, is the result of an investigation launched in 2020.

Unjustified and unnecessary

Meta calls the fine “unjustified and unnecessary” and will seek legal action to suspend it, the social media giant reacted immediately in a statement sent to AFP on Monday. “Thousands of businesses and organizations rely on the ability to transfer data between the EU and the US” and “there is a fundamental rights conflict between US government rules on data access and European privacy rights,” continues the Californian giant. Meta hopes to see the United States and the European Union adopt during the summer a new legal framework for the transfer of personal data, in the wake of an agreement in principle adopted last year.

Read also The Competition Authority brings Facebook to heel

Third fine since the beginning of the year

This is the third fine imposed on Meta since the beginning of the year in the EU, and the fourth in six months. In January, the DPC had heavily sanctioned the group to pay nearly 400 million euros for offenses on the use of personal data for advertising purposes targeting its Facebook, Instagram and WhatsApp applications, then in March, to 5.5 million euros for violating the GDPR with his WhatsApp message. Since then, Meta has committed to changing its terms of use in Europe to be able to continue to collect and process the personal data of its European users. These sanctions come in a context of strengthening controls and judicial procedures in the European Union, but also in the United States, against GAFA (Google, Amazon, Facebook and Apple), and the measures recently taken against the Chinese giant TikTok. In 2021, Amazon had in particular been fined 746 million euros in Luxembourg for non-compliance with the GDPR. The group which intends to appeal, is condemned for having “continued to transfer personal data” of users from the European Economic Area (EEA) to the United States in violation of European rules in the matter, indicated in its decision the Irish Data Protection Commission (DPC), which acts on behalf of the EU.

Read alsoWhy GAFA undermine technological revolutions

Meta is not alone

This is not the first time that companies have been sanctioned for non-compliance with the GDPR. And not the first time either that large groups have ignored European laws. On May 10, the Cnil demanded a fine of 5.2 million euros from the American facial recognition service Clearview for not having paid the fine of 20 million euros imposed in October and above all for not having modified its photo collection practices. “The company has not sent any proof of compliance”, explains the Cnil. Already in October, the New York company had made it known that it was not ready to obey these injunctions. The American giants are not the only ones to be sanctioned. Doctissimo, the French site specializing in health topics, received a fine of 380,000 euros from the Cnil for several breaches concerning personal data. In particular, he is accused of keeping the data without a time limit and collecting it without consent.

The law is broken

The difficulty of controlling personal data remains a reality despite the GDPR. The law itself “makes sense but the big problem is that it is not applied”, summarizes Max Schrems, interviewed by AFP at the premises of his Viennese association Noyb (for “None of your business “, meaning “it’s none of your business”). “The delta between what is written on paper and the facts is considerable”, he is indignant. “For an ordinary citizen, it is almost impossible at present to assert their rights. This is the sad truth”. Max Schrems, 35, deplores that such fundamental freedom is flouted to such an extent: it is as if “you had the right to vote but the ballot boxes were absent”. Faced with the strict obligations imposed by the GDPR, companies have taken “frontal measures” without seriously tackling the problems, he believes. Statistics show that only 3% of users are actually willing to approve cookies, but over 90% are pressured to say yes “due to misleading design”. And why would companies bend to the rules since they are not or little sanctioned? asks Max Schrems. Tech majors like Google or Meta, Facebook’s parent company, which thrive on the use of private data, have certainly been fined tens or even hundreds of millions of euros following proceedings initiated by Noyb. But they “pocket 10 to 20 times more money by breaking the law”, says the activist, regretting the indifference or inefficiency of national regulators.

with AFP