Meta’s record $2 billion data fine is a punishment for change inertia
Meta just copped an enormous $2 billion fine for some data privacy funny business over in Europe. Who cares? AFFINITY’s digital boss Rob Mills explains why Aussie businesses should sit up and pay attention.
News last week of the Irish Data Protection Commission (DPC) imposing a record breaking 1.2 billion euro fine, or close to AU$2 billion, on Meta for their continued transfer of EU personal data to the US is a wake-up call for businesses worldwide.
Meta, the parent company of Facebook and Instagram, says it was “disappointed to have been singled out” and the ruling was “flawed, unjustified and sets a dangerous precedent for the countless other companies”.
The playground excuse of ‘everyone is doing it’ has rarely vindicated the accused, and their track record and lack of proactive action make it difficult to sympathise.
The DPC has been investigating Meta, which has its European headquarters in Ireland, for three years.
But despite a 2020 European Court of Justice ruling that invalidated the previous data transfer pact, rather than seeking new ways to comply with the changing regulations or adapting practices to ensure nimbleness in the face of evolving data transfer requirements, Meta chose to wait for new data transfer regulations to materialise.
This approach can be seen as nothing short of a potentially foolish gamble.
So, why should Australian businesses pay attention to this case?
Australia is currently undergoing its own data and privacy reforms, and many are guilty of adopting a similar stance of inaction, preferring to wait for decisive changes before taking any concrete steps.
While there may be no immediate legal accountability or fines for non-compliance for regulation that is not yet law, this passive approach will not make our lives any simpler.
This is an opportunity to review data retention and transfer practices and compare them to the likely requirements of upcoming changes. Embracing the inevitable ambiguity surrounding data regulations, we must proactively adapt and continuously improve.
The age of data is characterised by constant rule and regulation changes. To navigate this landscape successfully, we need more than just a transformation of processes; we need a mindset change.
There is plenty of guidance already out there from GDPR, the California Consumer Privacy Act, and more recently in Australia, the Attorney General’s Privacy Act Review Report, which provide clear principles to at least get started with:
- Reduce risk – understand where and how data is stored. Avoid fragmentation, duplication and unnecessary storage of unreasonable or high risk data.
- Transparency – ensure subjects of data are clearly informed what data is captured, why, and how it is used.
- Control – providing data subjects with the ability to determine what, how and when their data is used.
Meta, which intends to appeal the decision, had three years to demonstrate their preparedness for evolution, yet failed to do so. Australian organisations should learn from this by instituting change and take concrete steps to implement flexible data handling capabilities throughout their operations now.
By reducing reliance on rigid and ingrained ways of operation, it will be easier to commit to the necessary changes when they happen.
A crucial aspect of this shift involves developing a robust approach to data governance, by investing in robust systems that can navigate complex regulatory landscapes ensuring compliance and data protection. Moreover, fostering a culture of continuous learning and adaptation will enable business to stay ahead of the curve, rather than constantly playing catch-up.
While the fine imposed on Meta is undoubtedly substantial, the true cost of their inaction lies in the erosion of trust and reputation.
Australian businesses must take heed and recognise that waiting for changes to become law only leads to missed opportunities, the potential for brand damage, and legal ramifications.
Let the Meta case serve as a valuable lesson – a reminder that the age of data demands proactive and flexible approaches to governance.
Embracing this mindset change and taking real, concrete steps towards implementing that change, will position those that do as leaders in data protection, ensuring compliance and resilience in an ever-evolving regulatory landscape.
Rob Mills is the head of digital at Sydney headquartered independent digital and media agency AFFINITY.
