Why European Regulators Are After The US Big Tech Firms?
GDPR regulations have been a sore area of compliance for US-based big tech companies.
Effectively, they had to adopt a host of new measures for collecting user consent, ensuring compliant data storage and the right to request data removal for a substantial part of their user bases.
The wrinkle, however, is that companies like Google and Meta among others, don’t have separate data processing infrastructure for different markets. Instead, all the user data gets commingled on the companies’ servers, which are located in the US.
Data storage facilities’ location is an issue. In 2020, the CJEU made a historical ruling, called the invalidation of the Privacy Shield. Originally, international companies were allowed to transfer data between the EU and the US if they adhered to seven data protection principles. This arrangement was called the Privacy Shield.
However, the continuous investigation found that the Privacy Shield scheme was not GDPR compliant and therefore companies could no longer use it to justify cross-border data transfers.
The invalidation of the Privacy Shield gave ground for further investigations of the big tech companies’ compliance statuses.
In March 2022, the Irish DPC issued the first €17 million fine to Meta for “insufficient technical and organisational measures to ensure information security of European users”.
In September 2022, Meta was again hit with a €405 million fine for Instagram breaching GDPR principles.
2023 began with another series of rulings, with the DPC concluding that Meta had breaches of the GDPR relating to its Facebook service (€210 million fine) and breaches related to Instagram (€180 million fine).
Clearly, Meta already knew they weren’t doing enough for GDPR compliance and yet, they refused to take privacy-focused action.
