RISK

BRIEFING

What does Meta’s £1.2bn fine mean for UK businesses?

13 Jun 2023

What does Meta’s £1.2bn fine mean for UK businesses?

In May 2023, Meta, the company that owns Facebook, was fined £1.2 billon by Ireland's Data Protection Commission (DPC) for mishandling people’s data when transferring it between Europe and the United States. In this briefing, ’Sọjí Wey, Data Protection Practitioner with rradar, considers why this decision is important for the UK.

You might be thinking, ‘why do UK businesses have to worry about a dispute between an Irish regulator and a US company?’ Good question. Let’s get into it.

Why has Meta been fined?
The General Data Protection Regulation (GDPR) is an EU law that sets out the rules on collecting and processing the data of EU residents. Post-Brexit, the UK has put in place its own version of this law, called UK GDPR. The UK version is broadly the same as the EU version.

Companies often use something called ‘standard contractual clauses’ (SCCs) to move personal data from the EU to the US in a way that complies with GDPR. They use SCCs to justify transferring, for example, email addresses, financial information, phone numbers and other information from which individuals can be identified.

The DPC argued that Meta’s use of SCCs did not protect data from possible surveillance by the US government.

Meta’s security saga
Meta does not have a good reputation for security. The DPC fine is the latest blow. Here is a timeline of key events so far:

  • In 2013, Edward Snowden disclosed that American authorities access personal information through companies like Facebook and Google.
  • In 2015, the Court of Justice of the European Union (CJEU) agreed with a claim from Max Schrems, an Australian national. He challenged the adequacy of the Safe Harbour Framework (SHF), which was the mechanism Facebook used at that time to protect data it transferred into the US, but Schrems argued that the US government was able to get around the SHF. This led to the creation of the Privacy Shield Framework (PSF), a data sharing agreement between the EU and US.
  • In 2020, Schrems brought an up-to-date case to the CJEU. He argued the PSF also did not provide enough protection. The court agreed and invalidated the PSF. The CJEU did not ban SCCs outright. Instead, the CJEU has argued data-sharing decisions should be made on a case-by-case basis.
  • From the second Schrems decision, companies started to rely on SCCs, which is at the crux of Meta’s record fine.

Next steps for UK companies
In a post-Brexit world, the UK does not have to follow the CJEU’s rulings. Similarly, it is not subject to the oversight of Ireland’s DPC. However, these organisations might be on to something. A signal has been sent. Shots have been fired.

UK companies would be wise to be wary when sending personal data to the US and act with due diligence. They should:

  • Map all personal data transfers to third countries to ensure they receive an essentially equivalent level of protection.
  • Verify transfer tools. If the third country has not been deemed adequate, they can rely on transfer mechanisms in Article 46 or the derogations in Article 49, but must use these on a case-by-case basis.
  • Examine relevant legislation and practices in the third country to ensure the effectiveness of the chosen transfer tool and, if there are issues, suspend the transfer or implement supplementary measures.
  • Identify and adopt measures to bring the level of protection in line with EU standards, if their assessment reveals any deficiencies.
  • Continuously assess the level of protection and re-evaluate any developments that may affect the transfer.
  • Follow formal procedures such as conducting transfer impact assessments and seek guidance from supervisory authorities if necessary. The Information Commissioner’s Office, which is the UK’s supervisory authority, has issued a useful International Data Transfer Agreement template which UK companies may use.

You may also be interested in

RELATED CONTENT

RELATED CONTENT

Accident and incident reporting
Accident and incident reporting

The Accident and incident reporting course helps learners develop skills to deal with the aftermath of an accident or incident.

Risk Assessment and Method Statements (RAMS)
Risk Assessment and Method Statements (RAMS)

The Risk Assessment and Method Statement (RAMS) course examines the HSE’s recognised five-step approach to risk assessment.

IOSH Managing Safely
IOSH Managing Safely

The world’s best-known health and safety certificate, designed for managers and supervisors in any sector or organisation.

IOSH Working Safely
IOSH Working Safely

IOSH Working Safely is a one-day introductory health and safety training course for people at any level, in any sector.

Risk assessment: the ‘reasonably foreseeable’ test
Risk assessment: the ‘reasonably foreseeable’ test

Risk assessments are often the first thing to be reviewed in the event of an accident. Claire Deacon PhD, Health and Safety Trainer with International...

Fire safety - changes in risk assessment
Fire safety - changes in risk assessment

Responsibility for fire risk assessment in the workplace is changing in line with new legislation. In this briefing, John Davidson of security and fir...

Robots in the workplace: an emerging risk to health and safety?
Robots in the workplace: an emerging risk to health and safety?

The use of machines in the workplace is nothing new. But, whereas robots were initially built to carry out simple tasks, nowadays artificial intellige...

Manchester Arena inquiry – risk assessment was 'box ticking'
Manchester Arena inquiry – risk assessment was 'box ticking'

Risk assessments carried out by the Manchester Arena operators prior to the Ariane Grande concert in 2017 were nothing more than “box ticking", an inq...