On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”
The Meta fine has a long timeline, and the 222-page order imposing it, Binding Decision 1/2023, comprehensively recites it. Meta has been the subject of legal proceedings on data transfers since 2013, when Jürgen Schrems, an Austrian privacy advocate, brought his first suit against Meta (then known as Facebook).
Is this a big fine for Meta? Article 83(5) GDPR threatens a maximum penalty of €20m or 4% of annual worldwide turnover, adjusted by Article 83(2) factors. For scale, Meta reported $117b in turnover in 2022 and $118b in 2021 – and profits of $29b and $47b, respectively. A €1.2b fine, therefore, is about 1/3 of the theoretical (“4%”) maximum. As noted above, the challenges to Meta’s data practices started a decade ago.
An interesting question posed by the Meta situation is exactly what “4% of annual turnover” means in a long case—does GDPR Article 83(5) intend that the maximum fine be multiplied by the duration of the violation? This matters little if a behavior is challenged and remedied rapidly—but where a legal challenge rages on for years, and the subject entity continues to do business, GDPR’s penalties could be relatively weak. The Meta situation is even muddier because included regulatory responses by Meta, to changing regulations, that EDPB saw as mitigating, even if it ultimately decided Meta’s solutions were illegal.
Though heralded as the largest fine in GDPR history, this also suggests that penalties, even for what EDPB calls “serious” behavior, might end up in the range of a “cost of doing business” for larger data handlers. Smaller enterprises, less able to fight epic legal battles, may fare proportionately worse. At least theoretically, any company could receive a €20 million fine. A quick review of published data shows that for “high data volume” violations, midsize companies routinely are assessed fines in the hundreds of thousands to the low millions. In terms of the top 20 known EAA-issued GDPR fines, they fall off rather rapidly after the two largest ones:
- Meta (US) – €1.3b, 405m, 390m, 265m, 225m (WhatsApp), 60m, 50m, 17m
- Amazon (US) – €746m
- Google (US) – €90m, 60m, 50m
- H&M (Sweden) – €35.25m
- TIM (Italy) – €27.8m
- Enel (Italy) – €26.5m
- Clearview AI (US) – €20m, €20m, €20m
- Wind (Italy) – €16.7m
- Vodafone (UK) – €12.25m
A cynical observer might attribute this distribution—reflecting enforcement priorities—to a clear bias against organizations based outside the EU. But this does not have an obvious factual basis. Europe simply does not have data controllers and processors on the scale of Meta, Amazon, or Google; there is nothing about the structure of GDPR that suggests it intentionally operates as a tax or non-tariff barrier; and European enterprises have received the largest number of fines for violations.
Interestingly, Spain has been a leader in weaponizing GDPR as a tool to punish offenses far more mundane than running social media platforms. Spain leads in the number of fines levied, some as small as €180. It has relied on Article 5 to penalize businesses and private citizens for video surveillance of neighbors, door-to-door sales, using pictures of event participants in marketing materials, publishing WhatsApp chats, issuing duplicate SIM cards, unwarranted credit reporting, and playing courtroom recordings on the news. And that was just April and May 2023.
The range of outcomes is driven in part by local enforcement. But the considerable latitude provided by Article 83(2)—and varying interpretations of Article 5 – makes each action a case-by-case exercise.
Takeaways:
- Europe arguably has taken a moderate path with corporate fines and has demonstrably looked to facts and circumstances more than asserting absolute maximum fines.
- Fines for businesses, however, are still relatively stiff—and businesses should be careful to avoid violations.
- Some jurisdictions are getting very creative in monetizing GDPR violations, so compliance should be directed not only to headline issues like website consents and cross-border transfers—but also to less obvious “technical” violations.