Data transfer is back in the news. On May 22, the Irish Data Protection Commission (DPC) announced that it had concluded its inquiry into the cross-border data transfers of Meta Platforms Ireland Limited and determined that Meta had “infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.”
In other words, Meta’s practice of sending data associated with European citizens to the U.S. was found to be illegal under the General Data Protection Regulation. As a result, the company has been assessed a fine of €1.2 billion (approximately $1.3B), the largest financial penalty ever handed down under GDPR.
Meta plans to appeal the ruling. It holds that its practice of using standard contractual clauses to govern its cross-border data management and transfer practices is consistent with current rules. Standard clauses have been used since the Privacy Shield was invalidated in 2020 following a legal challenge by the aforementioned Austrian lawyer and privacy activist, Max Schrems, who successfully argued that U.S. privacy laws and the digital surveillance practices of the U.S. government are inconsistent with the privacy rights of European citizens. Negotiations between the U.S. and EU to reach a privacy framework that satisfies the more stringent requirements of our European trading partners is ongoing.
A Stark Reminder
The DPC’s ruling and fine is a stark reminder to every organization of the importance of understanding and complying with data protection and privacy laws. Not every organization operates the kind of large, complex operation that describes tech giant Meta, but any organization that collects and transfers files containing sensitive information is bound by law at some level. That data might be the personally identifiable information (PII) of customers, partners, employees, or other individuals who do business with the enterprise; it might be protected health information (PHI), including medical records and health insurance data; or it might be personal or corporate financial data.
If electronic files with any of that information are collected, stored, and/or transferred to other organizations, it must be protected and handled in accordance with state, federal, or international law. And navigating the many regulations that apply is a difficult endeavor in its own right. Myriad laws prevail across the globe, and here in the U.S. there are fifty different state data privacy and security regimes to satisfy in addition to the federal government. If a company with the financial and legal resources of a Meta finds it difficult to comply, smaller organizations will have their hands full.
Use Good Tools, Good Counsel
Our advice is always to find good counsel with experience helping companies and other organizations identify the laws that apply to them and establish policies and processes that set a high threshold for compliance. Then invest in proven tools that support the demands of a good compliance program and that make it easy for employees to do the right thing when handling protected data. Often that means relying on process automation to minimize the need for staff to make decisions and wring out the risk of human error. That is vital when you consider that, according to the World Economic Forum 2022 Global Risks Report, 95% of cybersecurity incidents can be “traced to human error.”
Our Diplomat MFT family of secure managed file transfer products can make it easy for organizations to handle the transfer of files containing sensitive, regulated data. Diplomat MFT offers multiple secure file transfer protocols, supports encryption for all files using OpenPGP, records each step of the process to ensure auditability proving compliance, employs authentication to ensure only staff with a “need to access” can use the system, sends alerts should anything disrupt a transfer, and has a robust scheduler that ensures every regular transfer happens when it is supposed to (while also allowing ad hoc transfers when needed). And we offer Diplomat MFT at an ethical, transparent price so that every organization has access to a high-value tool that can handle their transfers securely and at whatever scale they require. If you have any questions, or if you want to see Diplomat MFT in action, contact us for answers or to schedule a demonstration.