According to Norway’s data protection authority, Facebook owner Meta should be penalized for continuing to transfer Europeans’ private data to the United States in contravention of an essential EU court order.
If authorities do not punish the US tech giant, there would be little or no motivation to act in conformity with EU data transfer legislation, Norway’s Datatilsynet wrote in a partially redacted memo.
The memo was acquired by POLITICO, which published the story under freedom of information laws. Norway’s Datatilsynet is one of a few European authorities acting on the Irish Data Protection Commission’s (IDPC) proposal from July.
The IDPC’s proposal requires Meta’s Facebook to stop using standard contractual clauses (SCCs) to transport data over the Atlantic, including everything from family photos to salary information.
The proposal backs a 2020 judgment in which the European Court of Justice rejected the Privacy Shield EU-US data transfer agreement and strengthened conditions for using other data transfer methods such as SCCs because they would leave Europeans open to intrusive US monitoring.
Based on the circumstances of the case, the Norwegian protest states that it does not see how Meta could have maintained its personal data transfers following the Schrems II verdict if it had behaved in compliance with the GDPR.
Meta’s alleged infringement of EU data transfer standards
According to Norwegian media, Norway’s regulator wants to go even further than the Irish Data Protection Commission, which proposed to prohibit Meta’s EU-US data transfers in July but did not mention a sanction for the infringement.
The Norwegian regulator noted that orders and bans usually seek to guarantee that future data processing of personal data is GDPR compliant, but may also include penalties such as fines for prior violations as a disciplinary aspect.
A representative for the Irish authority stated that the case is ongoing and that commenting at this time would be “inappropriate”.