What in the World of Compliance? The Monster Meta Fine by Jay Trinckes

Speaker: Jay Trinckes, Director of Compliance/CISO/DPO

Jay Trinckes: Hi folks, I'm Jay Trinckes, Director of compliance Chief Information Security Officer and Data Protection Officer at Thoropass. We provide a compliance software as a service platform where organizations can maintain their compliance with confidence. I wanted to spend a couple of minutes discussing the news coming out of the European Union. In regards to the largest general data protection regulation fine levied to date on Meta, formerly known as Facebook. This fine was a whopping €1.2 billion which is equivalent to about $1.3 billion US dollars against Meta, regarding the illegal transfer of personal data to the US. Meta has been given six months to cease this unlawful processing, which includes deleting all of the personal data it illegally stored to provide you a little bit more context, this case involved Meta Platforms Ireland limited. This is Meta IE transferring personal data of EU residents to the US. Generally, this wouldn't be an

Jay Trinckes: So how does this concern you? Well, for starters, if you currently transfer EU personal data to the US or are looking to transfer personal data of EU data subjects to the US, you will want to make sure you are compliant with the GDPR. Although the US may not be considered adequate, the transfer of personal data can still occur as long as safeguards are in place to be essentially equivalent to those required under the GDPR. You may want to follow up with your, your attorney on your specific processing activities.

Jay Trinckes: So here's my take. Although this was a binding decision, it is believed Meta will appeal it. In the meantime, the US needs to move quickly to work with the EU on figuring out the approved mechanisms by which data can be transferred from the EU to the US for your organization. It is a good time to review your data transfer mechanisms and ensure you have essentially equivalent criteria in place to protect the rights of EU data subjects. You want to review your specific obligations under GDPR, what safeguards you have in place. What is your legal basis for processing and ensuring your policies and procedures cover all seven privacy and data security principles including lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage, limitation, integrity and confidentiality and accountability. One last tip consider encryption. Encrypted data may not be considered personal data if the organization you transfer data to does not have access to the encryption key. This case is a strong reminder to all organizations that the regulators take compliance seriously and they are ready to enforce regulations to the fullest extent of the law. You can no longer ignore your obligations if you want more information or need additional help in your compliance efforts. Please reach out to one of our experts here at Thoropass.