Meta fined $1.3 billion: What is GDPR in simple terms? Europe’s data privacy rules explained
The European Union has fined Meta, the parent company of Facebook $1.3 billion, for violating user privacy. What is the GDPR and how does it protect privacy rights?
Meta, the parent company of Facebook, has been handed down a jaw-dropping fine of $1.3 billion for illegally transferring user data from the European Union to the United States.
To function in the EU, Meta registered a European subsidiary in Ireland called Meta Ireland, which is the formal entity that has received the fine for violating the General Data Protection Regulation (GDPR). The court also gave Meta Ireland five months “to suspend any future transfer of personal data to the US” and six months to ensure that their internal processes and security systems complied with Chapter V of the GDPR.
What is the GDPR?
The GDPR was adopted in 2016 and came into effect in 2018. The regulation is designed to protect the privacy rights of citizens and better regulate the actions of international companies like Meta. The GDPR is, according to the EU, the strongest data protection law active in the world today and aims to provide an example of measures other countries could take to protect the privacy of their citizens and residents.
The digital revolution has redefined privacy rights because the data that is collected, processed, analyzed, or sold to help firms attract consumers or users raises questions. In other words, a major question that arose in the EU was, should companies be able to profit from data collected unknowingly by users?
Many policymakers said no, and affirmed that users who are having their data collection should be informed, and should they wish to have their data deleted, the company operating in the EU must be able to demonstrate that they have complied with the request. If companies are found to be out of compliance, like in the case of Meta Ireland, they are subjected to hefty fines.
Who is allowed to process data?
There are strict rules about data processing, which under the GDPR is defined as: “Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, [and] erasing.”
Organizations that hope to process data must operate under one of the permissible rationales that are outlined in the legislation. In the case of an e-mail, a user must have provided “unambiguous consent to process the data,” which means that they have opted into receiving messages. In the United States, brands and organizations, including those political in nature, can sell e-mail lists and send messages without someone having stated clearly that they want to receive them. In the EU, that would be a violation of the GDPR.
Preparing a contract is another reason data processing could be justified, as would compliance with legal obligations like in cases where one “receive[s] an order from the court in [their] jurisdiction.” There are also extreme cases where processing takes place to save a person’s life or where the processing benefits the public. The GDPR allows for the existence of exceptional cases that may not be covered under these other cases but warns that, particularly in the case of children, caution should be exercised.