Meta fined €1.2bn by Irish DPC for GDPR breaches

Meta has received a record €1.2bn fine by the Irish Data Protection Commission (DPC) as instructed by the European Data Protection Board (EDPB) under the EU General Data Protection Regulations (EU GDPR) for the mishandling of millions European Facebook users’ personal data when transferring their data between EU/EEA and the US. The DPC, in addition to imposing the record fine, also ordered Meta to:

• suspend its future transfers of EU user personal data to the US with effect from the end of the twelve weeks after the appeal period expires; and
• bring its processing operations into compliance with Chapter V of the EU GDPR, by ceasing the unlawful processing, in the US of personal data of  European Facebook users. Meta is required to comply within 6 months following the date of notification to the DPC's decision to Meta Ireland.

The decision records that Meta Ireland infringed Article 46(1) of the EU GDPR when it continued to transfer personal data from the EU/EEA to the US following the delivery of the Court of Justice of the European Union (CJEU) judgement in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). 

The Schrems II judgement repealed the EU-US Privacy Shield, which was relied upon by many organisations, including Meta Ireland, to transfer European personal data to the US. The CJEU in its judgement confirmed that despite the repealed EU-US Privacy Shield, the Standard Contractual Clauses (EU SCCs) adopted by the European Commission would continue to be a valid mechanism to transfer personal data outside the EU/EEA to the US, subject to various legal safeguards.

Meta updated its practices following the Schrems II judgement, including utilising the EU SCCs in addition to other supplementary measures such as carrying out transfer impact assessments and implementing further technical and organisational measures, relating to the transfers. However, the decision found that despite those arrangements, the arrangements did not go far enough to address the US surveillance laws to provide an adequate level of protection to transfers of personal data of EEA/EU data subjects, therefore leading to unlawful data transfers. 

ANALYSIS OF DECISION 

The fine is the largest under the EU GDPR. However, it is worth noting that the DPC did not originally propose any fine, but several concerned supervisory authorities (CSAs) disagreed, and the Board directed that a fine should be imposed.

The decision:

• causes further uncertainty in respect of the EU SCCs and whether they are an appropriate legal mechanisms for the transfer of personal data outside the EU/EEA. There is no doubt that the vast majority of organisations who transfer personal data outside the EU/EEA to the US rely upon the EU SCCs, but the decision leaves a cloud of doubt and uncertainty for such transfers of personal data;
• illustrates that despite the implementation of supplementary measures and EU SCCs, there appears to be no arrangements that could be put in place by organisations to deal with the deficiencies caused by US surveillance laws; and
• sets out the need for organisations to look at the "law” and “practice of the law" of the US meaning; whilst the key focus is on the laws of the US, the application of the law is relevant. If an organisation is able to demonstrate and document that it has no reason to believe that the problematic US surveillance laws will be applied in practice, then the transfer may be permitted.

There is an urgent need for a long-term solution to the issues of data transfers from the EU/EAA to the US.  In an attempt to resolve the uncertainty, EU-US policy makers are in the process of progressing a Trans-Atlantic Data Privacy Framework (Framework), which if approved by the EU Commission, will attempt to resolve the concerns around the transfer of personal data from the EU/EAA to the US. It is not clear when the Framework will be approved, but it is thought that approval is due in the coming months.

APPLICATION OF THE DECISION TO THE UK

The UK Information Commissioner’s Office (UK ICO) commented on the decision and stated to the BBC that “the decision does not apply to Meta operations in the UK” but said it had “noted the DPC’s decision and will review the details in due course”. UK organisations that transfer personal data from the UK to the US will inevitably feel that the decision by the DPC and Board is unhelpful in providing clarity, and will be waiting to see how the UK ICO responds.

This article was written by Matthew Loader