Shelly Kramer is a Principal Analyst at V3B.
In May 2023, Meta was fined a record-breaking 1.2 billion euros ($1.3 billion) by the Irish Data Protection Commission (DPC) for breaching the General Data Protection Regulation (GDPR). The DPC ruled that Meta broke privacy laws by transferring Facebook EU users’ data illegally from Europe to the United States—and I believe this ruling will play a major role in the reason that Threads, Meta’s recently rolled-out social network, won’t be available in the EU in the near term.
The Problem Is All About User Data Protection
Irish regulators took issue with data transferred by Meta because of allegations that user data is processed, transferred and/or stored in the U.S. and alleged that adequate user data protections are not in place. The ruling does not affect data transfers from Instagram and WhatsApp, but with the somewhat meteoric rise of Threads following its debut in July 2023, I have a feeling there will be a closer look taken by the DPC on this front.
In another bonus for Meta, the company has six months to address the DPC’s mandate to stop what it terms unlawful processing of EU user data that has already been transferred to the U.S. and the storage of that data on Facebook servers.
The Global Impact Of the GDPR
The EU has led the way when it comes to protecting consumer data privacy and security laws, making the rights and protection of its citizens and their data paramount. The GDPR was the first major privacy statute to be put into place across the globe, something that the U.S. has not yet done.
EU privacy regulators have hit major U.S. tech companies with large fines over the last several years in GDPR-related matters, including an $887 million fine levied on Amazon in Luxembourg and a $267 million fine on WhatsApp in Ireland. The fine levied on Meta is the largest to date. These large fines shed light on the long-standing political and legal challenges that organizations (and regulators) have reconciling U.S. laws on consumer data with EU laws.
This landmark fine imposed on Meta sends a clear message to companies relying on SCCs that they are violating GDPR.
What’s Ahead For Meta—And The Tech Industry As A Whole
The headache for Meta is getting its arms around the data in question, especially if it must remove data for EU users going back a significant period of time. Beyond that, if Meta is ultimately forced to stop its data transfers, it will be both costly and challenging.
Moreover, this regulatory uncertainty could also impact the ability of Meta to roll out Threads in the EU in a timely manner. The Threads app gained 100 million users in less than a week, but millions of potential users in the EU are going to have to bide their time until the resolution of these data privacy issues.
The massive fine Meta received from the Irish regulator reflects the growing scrutiny and regulatory pressure that tech companies face, particularly in relation to data protection and privacy. It also emphasizes the increased focus on accountability and compliance with privacy regulations as authorities seek to hold companies accountable for mishandling user information.
What Organizations Need To Be Thinking About Moving Forward
To comply with GDPR, companies need to figure out what data they have and where it is stored, provide justification for why they store it and organize the data in a way that any data requests from the public or authorities can be swiftly handled. This is a big task, and if your IT team doesn’t have the ability to do a data audit and strategically organize the data, working with a trusted vendor partner is definitely worth considering.
There is no one perfect solution for every organization, but starting with a comprehensive data audit is recommended. Further, not all data needs to be stored on an infinite basis, so as part of the audit, figuring out what data has been retained and what the use cases are for that data—and, ultimately, working to retain only the most important data—should be part of the overall strategy.
Lastly, as part of your data governance strategy, setting policies and practices around external data-sharing and partner-related data-sharing policies is an important part of the equation. I’m not an expert on data management or data storage, so I won’t endeavor to provide more specific advice. However, if this is not expertise that you have in-house, there is no shortage of partners to work with who can help.
Having a strategy around data management and sharing is critical. If a company is unable to respond to a data request, it will be clear the company’s ability to comply with GDPR is suspect—opening it up to scrutiny and potential fines.
Most importantly, we need to explore a universal data privacy framework that can be agreed upon by both the EU and the U.S. Many companies are hoping a new EU-U.S. data privacy framework will help them be able to process and store EU data, but it still needs final approval in the EU. European Commission spokesperson Christian Wigand said in a statement (via The Washington Post): “This would provide the stability and legal certainty that companies look for while ensuring strong protections for the privacy of individuals.”
Let’s hope this is something we can ultimately see regulators agree on and get to work quickly to resolve these challenges.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here