- Ban on data transfer may impact all US companies doing business in Europe
- Harsh measures may unintentionally hinder fraud-fighting efforts
Irish authorities have imposed a record $1.2bn fine on Meta for illegally transferring Europeans’ data to the United States and banned future transfers. Experts now tell VIXIO the decision bears wider implications for the payments industry.
The Irish Data Protection Commission (DPC) said that Facebook, now Meta, breached the EU General Data Protection Regulation (GDPR) by transferring and storing user data in the United States after a European court invalidated the framework underpinning transatlantic data flows over concerns of US mass surveillance.
In a stellar victory for European privacy advocates, Meta is now ordered to put a halt to any future transfer of personal data to the US within five months and pay a €1.2bn fine.
The decision reiterates the importance of ensuring that the rules around GDPR are adhered to and that “customer data generated in Europe, stays in Europe”, Gary Prince, founder of Astus Munia Consilium consultancy, told VIXIO.
For payment firms with open banking, it also underlines the importance of gaining and maintaining customer consent for both the holding and sharing of their data, Prince added.
Although the fine alone represents a record amount issued under the bloc’s data privacy act, the ban on transfers may have wider implications, not only for Meta but for other businesses as well.
“Meta can afford any fine we throw at them. But a ban on [data] processing is the nuclear bomb of the GDPR,” Rie Aleksandra Walle, privacy advocate and strategic advisor at NoTies Consulting, said.
The ban could hit Meta hard as many of its services were supported by the free data flow, the absence of which could lead the social media giant to stop offering Facebook and Instagram in Europe, something it has previously warned it could do.
Reflecting on the Irish decision, Meta said if data cannot be transferred across borders, “the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on”.
According to Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, the entire commercial and trade relationship between the EU and the US underpinned by data exchanges may be affected.
“While this decision is addressed to Meta, it is about facts and situations that are identical for all American companies doing business in Europe offering online services, from payments to cloud, to social media, to electronic communications.”
With its harsh fine and strict measures, the decision will likely send a strong message to firms.
“This will probably have the desired effect, not only for Meta but also for the many other companies who are contravening these regulations, whose directors are now saying, thank goodness it was not me this time,” Tony Craddock, director general of The Payments Association, told VIXIO.
However, it may have an undesirable consequence too, according to Craddock. It may slow down any efforts to collaborate and share information legally between institutions and companies in order to reduce financial crime.
“This is because collaboration is prevented by fear. Fear of fines. Fear of failure. Fear of loss of competitive advantage. And collaboration is pre-requisite for sharing data,” Craddock stressed.
“Sharing data is now a pre-requisite for reducing APP fraud and we are on the verge of some breakthroughs in doing this in a meaningful way, at least in the UK.”
“But this fine will make companies step back from sharing data, even in a legal way, and as a result, reduce our capacity for fighting APP fraud,” the expert warned.
He also pointed out the irony in the fine being imposed in Ireland, a country famed for its low corporate tax rates and enthusiasm for attracting fintechs.
Meta has five months to halt data transfers to the US and six months to return or delete Europeans’ data stored in the US, unless the two regions agree on a new framework that re-opens the door to transatlantic data flow.
The bigtech said the fine was unjustified, pointing at other businesses that do the same.
The company is preparing to appeal the decision and seek a stay on the implementation deadlines.