Meta is in hot water after recently receiving its fourth GDPR fine in a year for failing to prevent a 2019 data leak that exposed the personal information of more than 500 million Facebook users. Ireland’s Data Protection Commission fined Meta roughly $275 million for the leak, for a total of €912 million in fines in the past year. This latest fine is another example of regulators cracking down on tech giants like Meta to protect sensitive user data and hold companies accountable for poor data management practices. The largest GDPR fine to date was imposed in 2021 against Amazon for €746 million by privacy regulators in Luxembourg, a charge Amazon is currently fighting. Another large recent fine was against Google for €90 million for its cookie consent procedures on YouTube, resulting in a cookie consent page redesign to make it easier for European users to refuse cookies.
GDPR, the General Data Protection Regulation, is a regulation applicable as of May 2018 in all EU member states meant to harmonize data privacy laws across Europe and protect internet users. The regulation also applies to US-based organizations that offer goods and services to Europeans or that monitor the online activities of Europeans. GDPR is considered the toughest privacy and security law in the world and violation frequently results in heavy fines like the one leveled at Meta. The law has inspired lawmakers in the United States to enact similar legislations, including the California Consumer Privacy Act (CCPA) and the Consumer Data Protection Act (CDPA) that will go into effect in Virginia in January 2023. States like Washington and New York have also proposed similar regulations modeled after the GDPR, prompting many to wonder if Congress will pass a federal law to create uniform data protection regulation across states.
These recent fines prompt questions about whether regulators are doing enough to crack down on data privacy violations and what additional actions need to be taken. According to Gartner, 75% of the world’s population is expected to have its personal data covered under modern privacy regulations by year-end 2024. VP Analyst Nader Henein at Gartner explained, “This regulatory evolution has been the dominant catalyst for the operationalization of privacy.” Data privacy concerns are also evolving as technology changes, with better governance of AI becoming a growing privacy and security concern. With 40% of organizations having experienced an AI privacy breach, improving oversight and accountability of AI is a growing problem: “Once AI regulation becomes more established, it will be nearly impossible to untangle toxic data ingested in the absence of an AI governance program,” Henein said.