Facebooks Meta has been hit with yet another data controversy.

Its been just over five years since the Cambridge Analytica scandal embroiled Mark Zuckerberg and his social media company, Facebook, and less than one year since the organisation settled a $725m privacy lawsuit, but now a new data controversy has hit the Silicon Valley business.

The Irish Data Protection Commission (DPC), which first launched an inquiry into Meta (thats Facebooks parent company) back in August 2020, concluded its investigation earlier this month, and found that Meta Irelands transferring of personal data between Europe and the United States breached the General Data Protection Regulations (GDPR).

The DPC decided such data transfers should be suspended, but when fellow regulators in the European Union and the European Economic Area (or the EEA, which includes all EU member states as well as Iceland, Liechtenstein and Norway) suggested an administrative fine as well, and the DPC disagreed, it was passed over to the European Data Protection Board (EDPB).

The EDPB decided a fine was appropriate, and so as well as being required to stop future data transfers to the US (for a period of five months), Meta was ordered to meet the requirements of the GDPR within six months, and pay an administrative fine of 1.2bn (1.04bn).

Its the largest fine ever imposed for a GDPR breach.

Andrea Jelinek, chair of the EDPB, said: The EDPB found that Meta IEs infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.

Facebook has millions of users in Europe, so the volume of personal data transferred is massive.

The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.

Of course, Meta isnt happy with the decision, and has confirmed it will be appealing the unjustified and unnecessary fine and requesting the courts pause the relevant deadlines.

In a blog post penned by Chief Legal Officer Jennifer Newstead and former Lib Dem leader turned tech bro Sir Nick Clegg (hes their president of global affairs), the pair wrote: The DPC initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate.

However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying issue.

This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.

It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.

The underlying issue referenced by Meta concerns a framework known as Privacy Shield, which concerned data transfers between the EEA and the US and was invalidated by the European Court of Justice in 2020 due to a lack of adequate safeguards.

Both European and American policymakers are now working on a new data privacy framework to allow data transfers between the areas, called the EU-US Data Privacy Framework.

Meta also confirmed the ruling poses no immediate disruption to Facebook given the deadline periods imposed, and that their priority is ensuring users can continue to enjoy Facebook while keeping their data safe and secure.

QUESTION 1

Discuss the importance for companies like Facebook to make use of an appropriate risk classification system. Using your own relevant examples, examine how the FIRM risk classification system can assist Facebook and based on the case study, evaluate which two risk classifications materialised.

QUESTION 2

Discuss the concept of Enterprise Risk Management (ERM) and its approach to identifying and mitigating risks. Based on the case study, evaluate the typical steps and outputs or results that Facebook can expect from an effective ERM implementation. Deliberate if Facebook has implemented an effective ERM?

• Please include an introduction, a body (with subtitles), and a conclusion
• Please use relevant and practical examples
• Please tie up the answers to the case study.