%20white%20transparent.png)
Meta - the Case Study
The recent conclusion of the inquiry by the EU’s Data Protection Commission (DPC) into Meta Platforms Ireland Limited (Meta Ireland) raises important questions about the intersection of data protection, corporate governance, and sustainability.
This case study prompts us to explore from an EU perspective whether a business can be deemed sustainable and socially responsible with sound corporate governance if it acts or intends to act in breach of relevant privacy laws.
The DPC found that Meta Ireland infringed Article 46(1) of the GDPR by continuing to transfer personal data from the EU/EEA to the US, despite the concerns raised by the Court of Justice of the European Union (CJEU) in the Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems case. The DPC has certainly girded up its army and capacity for digital privacy warfare and displaying alot of fire power. As of 23 May 2023, it has imposed 154 fines worth €1.623bn fines as illustrated in the graph below.
Privacy Laws as a Component of Corporate Governance, Sustainability and Social Responsibility
Corporate governance encompasses the system of rules, practices, and processes by which a company is directed and controlled. It includes ethical standards, accountability, transparency, and compliance with applicable laws and regulations. Data protection and privacy laws, such as the GDPR, form a vital part of corporate governance in the digital age. Adhering to these laws ensures that businesses respect individuals' rights, protect personal data, and promote trust with customers, employees, and stakeholders.
Therefore, corporate governance is vital for developing transparent, accountable, and compliant governance frameworks and processes for data protection. It establishes the necessary structures, responsibilities, and mechanisms to ensure that data protection.
Sustainability and social responsibility are crucial components of modern business practices. Sustainable businesses prioritise the long-term economic, environmental, and social impacts of their operations. They strive to create value while considering the well-being of all stakeholders and the planet. Socially responsible businesses go beyond legal compliance and actively contribute to society by addressing social and environmental challenges.
The Impact of Privacy Law Violations on Corporate Governance and Sustainability
When a business acts or intends to act in breach of privacy laws, it undermines its corporate governance practices and raises concerns about sustainability and social responsibility. In general, privacy law violations can have the following implications:
Legal and Compliance Risks: Breaching privacy laws exposes businesses to legal consequences, including fines and sanctions.
Reputational Risks: It can damage a company's reputation, erode customer trust, and negatively impact stakeholder relationships.
Ethical Considerations: Privacy laws are designed to protect individuals' fundamental rights and freedoms. Violating these laws raises ethical concerns and contradicts the principles of social responsibility and sustainability.
Trust and Customer Relationships: Privacy violations erode trust between businesses and their customers. Sustainable businesses rely on trust and long-term customer relationships for continued success.
Regulatory Compliance: Compliance with privacy laws is a legal requirement and an essential aspect of corporate governance. Violations can indicate a lack of effective governance structures and processes within a business.
Lessons from the Meta Ireland Case Study
The conclusion of the DPC's inquiry into Meta Ireland highlights the consequences of privacy law violations. Despite Meta Ireland's implementation of updated Standard Contractual Clauses (SCCs) and supplementary measures, the DPC found that the arrangements did not adequately address the risks identified by the CJEU. The DPC exercised its corrective powers, including imposing a significant fine and ordering the suspension of data transfers to the US.
Reputational Risk and Share Price Implications
Meta's share price has remained relatively stable since the announcement of the fine, indicating that the market may have already factored data privacy and protection issues into Meta's valuation, as well as the broader IT industry. However, this raises questions about the effectiveness of market penalties for such transgressions if share prices already reflect the risk. Investors should consider the potential impact on a company's reputation, customer patronage, and long-term sustainability when evaluating investments in businesses with privacy law violations.
A Political Angle
One can’t help but see a lesson for Meta and other multinationals with highly influential former politicians leading the government relations function. Case in question, former Deputy Prime Minister of the UK, the very well-connected Nick Clegg seems to have miscalculated the outcome. Conversely, it might be his influence that is steadying the markets’ reaction. The lesson? Having as influential person at the helm does not right regulatory breaches or corporate governance weaknesses, they merely highlight them.
Impact of EU and UK GDPR on UK Businesses
In today's interconnected world, many businesses operate across borders and are subject to both EU and UK GDPR regulations. It is important to recognise that both regulatory frameworks have extraterritorial effects, meaning they apply to businesses even if they are not physically located within the respective jurisdictions. This dual applicability arises in scenarios where businesses have processing activities in both the EU and UK or are targeting customers and monitoring individuals in one region from the other.
For instance, if a business conducts processing activities in both the EU and UK or engages in targeting or monitoring activities involving individuals in the EU from the UK, it will be subject to regulatory responsibilities under both the UK regime (UK GDPR, UK Data Protection Act, and Privacy and Electronic Communications Regulations) and the EU GDPR. The same principle applies in reverse as well. If an EU-based business carries out processing activities in both the EU and UK or targets customers or monitors individuals in the UK from the EU, it must comply with both the EU and UK GDPR regulations.
This dual regulatory landscape necessitates businesses to thoroughly understand and adhere to the requirements of both the EU and UK GDPR frameworks, ensuring they fulfil their obligations and safeguard individuals' privacy rights regardless of their geographical location. Compliance with both sets of regulations is vital to maintain legal and ethical standards while operating across EU and UK markets, avoiding potential penalties and reputational damage that may result from non-compliance.
Conclusion
Privacy laws, including the GDPR, play a crucial role in corporate governance and are integral to sustainable and socially responsible business practices. The Meta Ireland case study illustrates the importance of compliance with privacy laws and the implications of their violation. To be deemed sustainable and socially responsible, businesses must prioritise privacy, adhere to legal requirements, and demonstrate a commitment to ethical conduct and responsible data management. It is essential for investors to carefully consider the reputational risks and share price implications associated with privacy law violations when making investment decisions. Meta intends to appeal the decision so watch this space.
At Cogent Analytics we provide you with comprehensive guidance and support to ensure that businesses meet their sustainability goals and establish transparent and accountable governance practices that adhere to regulatory requirements.