On 22 May 2023, Ireland’s Data Protection Commission (DPC) announced the largest penalty thus far when it hit Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) with a €1.2 billion fine.
The decision followed an investigation into Meta Ireland’s unlawful transfer of personal data belonging to EU/EEA citizens to the US, which has weaker privacy laws.
Significantly, the Information Commissioner’s Office, the UK data regulator, said that this ruling will not impact Facebook within the UK. But the Open Rights Group (ORG), which campaigns on digital rights and freedoms, warns that UK government proposals to change data protection laws will make it easier for organisations to transfer UK and EU personal data to third countries with weaker privacy protections, including the US.
Such transfers of large amounts of personal data to the US fly in the face of multiple decisions from the Court of Justice of the European Union (CJEU) which ruled against the data transfer arrangements between the EU and US in 2015 and again in 2020. The CJEU repeatedly determined that US surveillance powers violated fundamental rights and freedoms guaranteed to people living within the EU. The European Commission and the US remain in negotiations over how to reach an agreement which sufficiently addresses the concerns of the CJEU.
Meta Ireland Fine “Exposes Flaws” in UK Data Protection and Information Bill
Although the GDPR remains law in the UK in the form of the Data Protection Act 2018, the UK government is attempting to replace it via the Data Protection and Digital Information (No 2) Bill (Data Protection Bill).
The DPC’s decision against Meta Ireland “exposes flaws” in the Data Protection Bill, “which could allow the UK to transfer data to countries that have poor data protection,” Abigail Burke, Policy Manager for ORG, said in a statement on the day the DPC fine was announced. “In effect this could allow the data of EU citizens to be laundered through the UK,” Burke added.
The DPC justified its fine on the fact that Meta Ireland infringed Article 46(1) of the General Data Protection Regulation (GDPR) — which regulates the transfer of personal data to a third country or organisation — when it “continued to transfer personal data from the EU/EEA to the USA” in violation of CJEU judgement in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. The DPC found that precautions taken by Meta Ireland to protect the data of its users “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgement.”
The DPC decision reflects the importance of the ability of regulators, as well as private individuals and organisations, to challenge how businesses handle vast amounts of private data.
As part of its investigation into Meta Ireland, which began in 2020, the DPC consulted with other European regulatory bodies. Some of the partners insisted that Meta should be forced to “address the personal data that had already been unlawfully transferred to the US” since 2020, although the DPC ultimately disagreed with this position.
In addition to the €1.2 billion fine, the DPC ordered Meta to:
- suspend any future data transfers to the US within five months; and
- cease the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months.
Before making its final decision, and due to the disagreements over the nature of the remedies that should be demanded of Meta, the DPC referred the case to the European Data Protection Board (EDPB) whose decision the DPC is obligated to follow. The EDPB’s own decision in this case can be found here.
President for Global Affairs at Meta Platforms (previously known as Facebook, Inc), Nick Clegg, who served as Deputy Prime Minister of the UK during the Liberal-Conservative coalition government from 2010 to 2015, called the decision “flawed” and “unjustified” and said that Meta will appeal the decision.
UK Bill Would Water Down Data Rights and Protections
The GDPR mandates:
- Obligations to use personal data in a legal, fair, transparent, and respectful manner;
- Rights for individuals, and remedies against abuses;
- Powers for the Information Commissioner’s Office to oversee and enforce data protection laws.
According to analysis by ORG, presented as a briefing for MPs, the UK’s Data Protection Bill will weaken data protection rights, weaken accountability of organisations which hold personal data, undermine the ability for individuals to obtain data held on them by public and private institutions, and undermine the ability for individuals to challenge decisions made by public and private bodies regarding the handling of their data.
ORG also warns that the independence of the ICO will be further weakened by the Bill as it grants the Secretary of State for Digital, Culture, Media and Sport the power to “issue a statement of strategic priorities to the ICO and require the regulator to respond in writing as to how it will address them.”
The ICO will also be required to seek approval from the Secretary of State when issuing codes of practice that organisations must follow when handling data.
In 2021, the outgoing head of the ICO, Elizabeth Denham, warned that proposals to change UK data protection laws would undermine the independence of the data watchdog.
The ICO’s new chief, John Edwards, seemed undisturbed by the proposed changes saying that he “welcomed the reintroduction” of the Data Protection Bill (after it had previously been paused in the summer of 2022 for further consultations with business interests). Echoing the language used by the Secretary of State to promote the Bill, Edwards added that he supports the “ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights.”
Fundamental Digital Rights Largely Unknown By the British
One example of an obligation contained within the GDPR, that every EU and UK internet user will be aware of, is the requirement for websites to inform users of their right to object to the retention, sharing and selling of their private data. The ubiquitous nature of opt-in and opt-out popups, when attempting to access a website, reflects how widespread the collection, sharing and selling of private and personal data is.
The Data Protection Bill would eliminate the requirement for websites to offer users the option to opt-out of their data being tracked and shared.
ORG has outlined numerous changes the UK government is proposing to current data protection law.
These changes would make it “easier for companies and organisations to circumvent legal data protection requirements,” including by:
- Misclassifying personal data as anonymous data;
- Allowing personal data to be used for commercial purposes under the guise of “research purposes”;
- Removing cookies’ consent requirements for online tracking and personalised advertising.
- Undemocratically expanding government powers
The rights that everyone across the UK currently have (as result of the GDPR implemented in the UK via the Data Protection Act 2018 and as a result of the EU’s Data Protection Directive 1995 implemented in the UK via the Data Protection Act 1998) include:
- The right to be informed about the collection and use of your personal data. This includes the purposes for processing the data, how long it will be retained for, and who it will be shared with;
- The right of access to a copy of personal data held about you;
- The right to rectify inaccurate or incomplete personal data;
- The right to erasure of personal data;
- The right to restrict processing of your personal data, which limits how an organisation can use your data;
- The right to data portability which entails allowing people to request a reusable copy of their personal data which they can transfer to another service;
- The right to object to the processing of your personal data;
- Rights in relation to automated decision-making and profiling including a) the right not to be subject to a solely automated decision that has a significant impact on you, b) the right to specific information about automated decision making and profiling, and c) the right to challenge and request a review or explanation of automated decisions.
To one extent or another, every single one of these rights will be weakened, undermined or eliminated if the Data Protection Bill becomes law.