Press play to listen to this article
Facebook owner Meta Platforms should be fined for continuing to transfer Europeans’ personal information to the US in violation of a landmark EU Court of Justice ruling, the authority says. Norwegian Data Protection Agency to its regulatory peers.
“There would be little or no incentive to act in accordance” with European data transfer laws if regulators do not impose a fine on the US tech giant, Norwegian authority Datatilsynet said in a statement. a partially redacted document obtained by POLITICO under freedom of information laws.
The authority is one of the few European regulators to respond to the Irish Data Protection Commission’s July draft order which orders Meta to stop using a legal instrument called Standard Contractual Clauses (SCCs) to transfer data across the Atlantic – everything from family photos to payroll information.
The Irish draft ruling implemented a 2020 court ruling in which the European Court of Justice struck down an EU-US data transfer agreement called Privacy Shield and tightened requirements to use other privacy mechanisms. transfer of data like the SCCs, because they would expose Europeans to intrusive American surveillance.
“Based on the facts of the case, we do not see how [Meta] could have continued its transfers of personal data following the Schrem II judgment had he acted in accordance with the GDPR,” reads the Norwegian objection.
He said he thought Meta’s breach of EU data transfer rules was “particularly serious”.
The Norwegian document suggests the regulator wants to go further than the Irish Data Protection Commission, which decided in July to block EU-US data transfers from Meta but made no mention of a fine for violations.
“While orders, limitations and prohibitions generally aim to ensure that future processing of personal data takes place in accordance with the GDPR, sanctions such as administrative fines target past breaches and have a punitive element”, reads- we.
A spokesperson for the Irish authorities said the case was ongoing and it would be “inappropriate” to comment.
Meta has repeatedly said a ruling blocking his transfers would force him to shut down his Facebook and Instagram offerings in Europe, but a final decision is months away.
The Irish regulator is required to incorporate comments from other European regulators, including Norway’s, into its decision, and may have to trigger a formal dispute resolution mechanism if it cannot resolve objections, which would delay the process for at least a month.
Meta could also still appeal a finalized Irish decision, again delaying the need to trigger a blackout on Facebook and Instagram in Europe.
The process buys critical months for EU and US officials to agree on a new transatlantic data pact to replace the now defunct Privacy Shield. Negotiators expect to reach a new agreement in the first quarter of 2023. When such a new data agreement between the EU and the United States is in place, Meta and thousands of other companies could use this agreement – not CSCs – to move people’s information around the world. Atlantic in a legal way.
A spokesperson for Meta said that “this matter relates to a conflict between EU and US laws which is in the process of being resolved. We welcome the EU-US agreement for a new legal framework that will enable the continued transfer of data across borders, and we hope this framework will enable us and others to keep families , communities and connected economies.