A new record has been created in GDPR regulatory fine with Ireland’s Data Protection Commission (DPC) imposing a fine of $1.3 billion (Nearly Rs 10766 crores). The population of Ireland as a country is 51,23,536 lakhs (as per 2022 census), marking it a per capita income of Rs 21100.
It may be noted for records that Meta’s global quarterly earning in the period ending March 2023 was $5.709 billion. How much of this came from Europe is not known.
Irrespective of the justification, at this level it is like an “Extortion”. It appears that many EU countries may still consider this as a delayed and diluted fine and Irish authorities is soft on the industry. The previous high was the fine imposed on Amazon at US $ 887 million by the Luxemburg authorities which was about 1 lakh of rupees from per-capita calculation of Luxemberg with a population of around 6 lakhs.
Refer article in Security Boulevard
Many privacy enthusiasts may rejoice from the shocking effect created by such fines. But the decision exposes the danger of this approach deteriorating into a blood sucking practice.
EU countries have tasted blood and will continue to impose such fines from time to time to establish their global hegemony. Experts feel that many other giants including the already fined entities could face another round of such insane fines.
We must remember that the entire fine collected will go to the exchequer of the country imposing the fine and not paid by way of compensation to any individual who might have suffered on account of the so called Privacy Breach.
The legality of enriching at somebody else’s cause need to be questioned in view of the unreasonable or disproportionate level of fine.
This sort of approach to regulatory deterrence is self defeating and could lead to exodus of business from EU.
It is also predicted that the new US-EU privacy agreement may also get rejected by the EU Court and hence the risk of further fines is extremely high for the industry.
While Meta may be able to drag this 10 year old dispute further by appealing against the decision, many smaller companies will now be required to make appropriate provisions in their financial books to cover such risks.
The problem for the industry is that the fines are coming from decisions of the supervisory authorities on interpretation of adequacy of measures in different instruments of compliance used by the organizations.
In the EDPB decision on “NOYB” complaint it was held that there was a contravention of Article 6 of GDPR by Meta, though the company had used “Contract” as a method of establishing lawful basis of processing as per Article 6(c). Through this decision the EDPB tried to define the business process of content based advertising.
The current decision on Meta is based on the alleged violation of Cross Border transfer regulations under Article 46(1) based on Standard Contractual Clauses.
EDPR chair Andrea Jelinek stated “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences”.
While full details of the order are yet to be analysed, some of the information available indicate the following.
Meta has been relying on the Privacy Shield Protocol for transfer of data from EU to US for processing and use in advertising. It was based on SCC and believed to be in compliance with GDPR until CJEU scrapped the Privacy Shield agreement. Following this CJEU verdict, proceedings were launched on Meta by the Irish authorities.
According to one of the interim reports that had been released, a study had indicated that “changes to (the) free flow of data could cause significant harm to telecommunications, digital payments, global services outsourcing and pharmaceutical R&D industries,” and “Based on the estimates of the Analysis Group economists, European businesses and consumers in each of these industries may incur several billion dollars of additional annual costs,” .
The contention from the EU side was that GDPR guidelines require the country receiving the data to offer the same level of protection to the country from which the data is borrowed. In terms of standards, data protection has to match with that offered in the European Economic Area (EEA). Since US laws did not provide such adequate security, SCC was considered as a means to provide such compliance.
It now appears that the SCC instrument has also failed to provide satisfactory compliance.
Naavi considers that the attitude of EU authorities is basically incompatible with the business and commercial entities cannot live in the fear of the arrangements being retrospectively held inadequate and heavy fines imposed.
For the Indian market where there are many data processors processing EU data, Naavi had suggested the unique Pseudonymization process suggested for implementation through a “Data Importer Certification” . This is designed to transfer the cross border transfer risk to the Data Exporter in EU and relieve the data importer from the liabilities.
However this may apply to Data Processors while Data Controllers like Meta have no option other than setting up their processing centers within EU.
This is what is called “Data Localization” and what EU is doing is to achieve “Forced Data Localization” through regulatory fine mechanism.
Indian law has opted for a low level of fine (Maximum Rs 500 crores) and is also prepared to offer a “Protected Data Processing Zone” to the EU data controller and Indian Data Processor to operate. This mechanism can subject to usual security against cyber attacks protect the EU Controllers from the risk of exposure to local laws of the processing country to a certain extent.
However, a complete compliance of EU GDPR will require the data importing country to surrender its sovereignty to the laws of EU . In effect the EU is trying to create new “Data Colonies” and some countries may succumb to this temptation and let the “New East Indian Companies in Digital Avatars” to set up their own virtual countries within India.
A larger debate is required on whether India should agree to such a measure. My view is not to support the privacy infringement of Meta but for regulation to be reasonable.