Meta is being fined $1.3 billion (€1.2 billion) for allegedly violating European Union privacy laws relating to unlawful data transfers from the EU to the United States. Announced in May 2023, this is the most significant ruling under the General Data Protection Regulation (GDPR) to date. Meta relied on Standard Contractual Clauses (SCCs) as a legal mechanism to transfer the data, but regulators claim the transfers didn’t meet legal requirements for SCCs.
The European Data Protection Board’s (EDPB) Chair, Andrea Jelinek said, “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive.”
Meta, Transatlantic Data Transfers, and the DPF
During Meta’s 6-month grace period to cease data transfers from the EU to the U.S., the company will be hoping for an international political agreement on legal data transfers under a new version of a transfer mechanism, the Transatlantic or EU-U.S. Data Privacy Framework (DPF). President Joe Biden and European Commission President Von der Leyen reached an agreement on the principles of this framework to enable the transatlantic flow of data and is awaiting the decision of the European Commission. Reuters notes that the Ireland Data Protection Commissioner (DPC) said the new DPF may be ready by July 2023.
The implications of the Irish Data Protection Authority’s (IE DPA) decision against Meta’s transatlantic data transfers impact other companies using SCCs — a popular legal data transfer instrument — to transfer data from the European Union.
Meta, EU Targeted Advertising, and US Cautions
Meta’s data transfer troubles follow its recent January 2023 $414 million (€390 million) fine from the Irish DPC for requiring users in the region to agree to behavioral ads based on user actions like videos they watch, not just basic demographic information. In an effort to limit the impact of planned EU privacy orders, Meta now offers EU users opt-out options for behavioral, targeted advertising.
The EU is considered “privacy mature” in comparison to the U.S. and often acts as a bellwether for U.S. data privacy regulation. Further, data privacy, collection, and handling, along with behavioral advertising, are already sore spots for U.S. consumers, whose trust in social platforms and advertisers is at stake.
While immediate U.S. federal legal action similar to Europe’s is unlikely, U.S. companies should still take heed. Research shows that consumers in the U.S. are demanding increased privacy protections and more control over their personal data. Stronger U.S. data privacy laws are inevitably on the horizon, and companies should start preparing now.
U.S. Companies Can Step up Where Congress Is Falling Short
In 2022, 74% of consumers surveyed agreed they wouldn’t shop with their favorite retailers if the companies couldn’t ensure personal data security. This sentiment is most prevalent among Millennials and Gen Z, the fastest-growing age group demographics in consumer spending.
That isn’t the only striking revelation from the past year. In March 2023, DataGrail reported that the volume of consumer data privacy requests soared by 72% from 2021 to 2022. This increase in Data Subject Requests (DSRs) signals what forward-thinking companies already know: The era of data privacy is upon us, and leaders have to act if they want to stay competitive.
Considering the relative inaction of the U.S. federal government on data privacy, it’s easy to turn a blind eye to tightening regulations in the EU. However, consumer opinion — and action — shows we’ve reached a turning point in the way people think about and act on protecting their privacy.
Going beyond federal requirements, U.S. companies can work to implement a data privacy management program that meets the most rigorous standards available today, including California’s Consumer Privacy Act (CCPA) and the GDPR. Going above and beyond current requirements means U.S. companies can rest assured they’ll likely be able to quickly adapt to future changes or new regulations, while their customers can be sure their data is safe.
Consumers, Privacy, and Choice
While Meta’s cases are specific to transatlantic data transfers and ad personalization based on behavioral data, the real issue at hand is the trampling of consumer privacy rights. In the U.S., the use of behavioral data in advertising is mostly a one-way street. However, more companies are giving consumers — even those without privacy protections — the choice to opt out of the sharing and selling of their data.
Since the U.S. lacks a comprehensive federal data privacy policy, companies have the opportunity to build trust with consumers early. After all, the chickens will come home to roost eventually: As the rest of the world’s leading economic powers introduce national data privacy legislation, the U.S. may ultimately follow suit. Consumers in the U.S. are already demanding a higher degree of access and transparency.
Opening a line of communication with consumers gives them choice and control over their personal data. This creates new opportunities for companies to connect with customers on their terms by honoring the principle of consent, fostering greater loyalty, and minimizing the potential for breaches of trust.
Competitive Differentiation in the Era of Data Privacy
Prioritizing data privacy as a central business objective can deliver ROI that goes beyond prevention. When given a choice between a brand that prioritizes consumer privacy transparency and consent, and a brand that doesn’t, 80% of consumers say they would be more likely to shop with the brand that values their privacy.
Making data privacy a core company value demonstrates commitment and sets companies apart from competitors that aren’t taking a proactive approach to privacy. However, the implementation process is challenging. It’s helpful to have a partner and platform on your side as you build and scale your data privacy management program.
Customer data leaks regularly make headlines, but prevention isn’t the only aspect of data privacy management. Companies need three key elements to establish a comprehensive program: Insights, automation, and partnership. The DataGrail platform offers all three.
DataGrail helps companies simplify data privacy management by revealing data sprawl across systems and identifying risk throughout their business processes, including marketing and HR operations. Automated privacy operations streamline program management workflows and reduce the resource strain of managing privacy requests. Finally, a partnership-focused approach means DataGrail’s human experts are on hand to help you navigate data privacy management — because a SaaS platform alone can’t do the job.
To learn more, request your 1:1 demo with DataGrail.