The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️

Meta hit with €1.2bn fine under GDPR

In a recent historic ruling, the European Data Protection Board (EDPB) has ordered Meta to halt the export of European Union user data to the United States and has imposed a record €1.2 billion fine for breaching the bloc's General Data Protection Regulation (GDPR). The gravity of this decision highlights the severity of consequences for non-compliance with data privacy laws. Meta, however, argues that the issue arises from a conflict between EU and US law, rather than their privacy practices.

The ruling carries wider implications, potentially affecting any internet platform under electronic communications service providers subject to the FISA 702 PRISM program. It puts pressure on lawmakers across the Atlantic to establish a mutually acceptable data transfer agreement. With the impending appeal by Meta and the uncertainty surrounding these arrangements, it's critical for us, as data protection professionals, to closely monitor the evolution of these events.

Data privacy campaigner, Max Schrems, has expressed that a durable solution will require significant reform of US surveillance practices. Considering Meta's substantial resources and the intricate web of international data transfer laws, the stage appears set for a protracted legal battle. This evolving landscape presents an opportunity for organizations to reevaluate their compliance with data privacy regulations and set exemplary standards for personal data protection.

Meta's ordered compliance with Chapter V of the GDPR entails stopping the unlawful processing, including storage, of personal data of European Economic Area (EEA) users that were transferred in violation of the GDPR. However, there remains ambiguity around data deletion, which neither the Data Protection Commission (DPC) nor Meta have addressed explicitly. The EDPB clarified that the ruling demands compliance but does not specifically dictate whether this should be achieved through data deletion.

This matter traces its origins back to 2013 when NSA whistleblower, Edward Snowden, revealed the extensive data collection of US government surveillance programs, infamously known as PRISM. This disclosure led to various legal challenges against tech giants suspected of compliance with PRISM, including a significant case led by Max Schrems. Schrems' legal pursuits against data transfer to the US culminated in two pivotal rulings, now referred to as Schrems I and II.

The case of Schrems I emerged after his initial complaints against Facebook and Apple were dismissed by Ireland's data protection authority due to their registration with the then-existing EU-U.S. data adequacy scheme, Safe Harbor. Upon appeal, the Court of Justice of the European Union (CJEU) invalidated Safe Harbor in 2015, finding it did not offer necessary equivalence of the EU's data protection for data exports to the U.S.

Following Schrems I, the activist refilled his complaint against Facebook in Ireland, leading to the invalidation of the replacement to Safe Harbor, the EU-U.S. Privacy Shield, in 2020 over concerns related to U.S. surveillance practices. This second ruling, known as Schrems II, further highlighted the tension between U.S. surveillance law and EU privacy rights.

The future of EU-U.S. data adequacy hinges on the forthcoming EU-U.S. Data Privacy Framework (DPF), slated for adoption this summer. The Commission asserts that the DPF effectively addresses the CJEU's concerns raised during Schrems II. However, critics, including Schrems, question the U.S. adherence to the EU's principles of necessity and proportionality under this new framework, suggesting it could end up back in court.

Adding to the complexity of the situation, Ireland's GDPR enforcement process has drawn criticism. The Irish Data Protection Commission's (DPC) handling of cross-border GDPR complaints, particularly concerning Big Tech companies, has been depicted as a bottleneck. Critiques highlight the DPC's preference for "amicable resolution".

How cyber security burst into the boardroom

The recent article on SolarWinds' cyber attack underscores an unsettling reality for leaders of the digital age: no one is immune, and cybersecurity preparedness is crucial. As Sudhakar Ramakrishna, SolarWinds' CEO, discovered, dealing with a cyber attack is more than just a technical issue. It's a strategic challenge that demands a holistic and informed response.

It's not surprising to note that most CEOs, while accepting accountability for cybersecurity, are uncomfortable making decisions on this front. This discomfort stems from a lack of understanding and the inability to navigate the intricate landscape of cybersecurity. As Kelly Richdale, an adviser on cybersecurity, suggests, "the board has to be versed in the basics of cyber attacks and digital concepts." This is a reminder that the cybersecurity narrative needs to permeate all strata of an organization, especially the boardroom.

In the face of these asymmetric threats, where "attackers only have to get it right once," and we need to be vigilant always, it's critical to adopt a posture of continuous improvement, as Ramakrishna aptly puts it, "You continuously improve but you're never fully secure." This iterative approach to security suggests a mindset shift, moving from a position of fear to a culture of constant learning and improvement.

An unexpected consequence of cyber attacks is that they can potentially expose strategic business operations, allowing for a thorough analysis and reinforcement of these areas. And yet, when it comes to supply chain attacks, it's alarming to see how smaller companies often act as inadvertent conduits for larger targets. This underscores the importance of scrutinizing the security measures of every link in the chain - a task that falls squarely in the CEO's purview.

Finally, this piece draws our attention to the power of collaboration and transparency in handling such crises. Ramakrishna's "bias to transparency" approach emphasizes the need for sharing knowledge and experiences in the face of attacks. By doing so, we not only mitigate our individual vulnerabilities but also enhance collective resilience against future threats. As professionals invested in data privacy, it's imperative that we adopt such practices, broadening our understanding and fortifying our defenses against the ever-evolving landscape of cyber threats.

Other data privacy news

A Deeper Look At The New UK Version Of GDPR

The U.K. government recently published a press release announcing a new U.K. version of the General Data Protection Regulation (GDPR) laws that the EU first implemented in 2016. While the new set of rights isn't a major departure from the existing EU standards, there are some changes that are worth taking a deeper look at.

Capita hit by new data breach incident

Colchester Council said files including benefits data were found on an unsecured Amazon Data Bucket controlled by the outsourcer

Discussing Privacy and Data Protection Beyond the Regulatory Aspects

Technology and advanced techniques for processing personal data have created opportunities for solving problems that have also put individual privacy at risk and introduced compliance and legal challenges. Today, just complying with laws is no longer enough. Data privacy and protection complexities require a deeper understanding of the ethics of collecting, using, and sharing personal data.

Post of the week

View in Twitter

We will be taking a few weeks off after this issue. DPOInsider will be back on the 23rd May!