On Monday, 23 May 2023, the Irish Data Protection Commission (DPC) announced the conclusion of its long-running investigation into Meta Platforms Ireland Limited (Meta) concerning the transfer of personal data from the EU/EEA to the US for its Facebook service. The DPC has fined Meta €1.2 billion and ordered the company to suspend the future transfer of user data to the US within five months. Furthermore, the DPC has given Meta six months to bring its processing operations into compliance with Chapter V of the GDPR, including the unlawful storage of EU/EEA users' personal data in the US.
The DPC found that Meta violated Article 46(1) of the EU General Data Protection Regulation (GDPR) by continuing to transfer EU/EEA personal data to the US following the Schrems II ruling by the Court of Justice of the European Union (CJEU), which struck down the EU-US Privacy Shield framework. Even with updated Standard Contractual Clauses and additional supplementary measures, the DPC found that these arrangements did not address the risks identified by the CJEU.
In January, the DPC referred the case to the European Data Protection Board (EDPB) under the GDPR Article 65 dispute resolution process after failing to reach a consensus with its fellow data protection authorities (DPAs). Then, during its April plenary session on 13 April 2023, the EDPB confirmed it had resolved the dispute, giving the DPC one month to issue its final decision.
Today's action results from a legal challenge brought by an Austrian privacy group NOYB over concerns resulting from the Edward Snowden revelations, who leaked highly classified information from the US National Security Agency (NSA) in 2013. In response, NOYB posted a detailed account of the decade-long case of Meta's involvement in US mass surveillance leading up to this first direct decision.
Following the DPC's announcement, the EDPB also published details of its binding decision in the case. EDPB Chair Andrea Jelinek said, "The EDPB found that (Meta's) infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences."
In a statement, Max Schrems, honorary chairman of NOYB, said, “It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions."
Meta posted a blog article responding to the decision by Nick Clegg, president of global affairs, and Jennifer Newstead, chief legal officer for the company, explaining their disappointment in being singled out and confirming: "We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines."
While Meta can appeal, there is only a small chance the decision will be overturned. However, as Clegg and Newstead alluded, the prospect of a new EU-US Data Privacy Framework still on the horizon means that the possibility remains the suspension order would have no impact. “If the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users,” they said.
UPDATE: The IAPP has interviewed privacy professionals and advocates to get their reaction to the DPC fine. Future of Privacy Forum's Gabriela Zanfir-Fortuna explained that the "impact of this decision is very broad, going vastly beyond Meta and being of concern for all businesses, universities, clinical trials and whomever is transferring personal data from the EU to the US on the basis of SCCs in the absence of an adequacy decision." Meanwhile, Digiphile Managing Director Phil Lee said that the DPC's decision "effectively implicates all EU transfers of data to US tech companies."
In a more in-depth analysis, the IAPP consider whether the decision was a pragmatic punch or a knockout blow. Ultimately, this is a challenge for the respective governments, but if the EU-US Data Privacy Framework clock wasn't ticking already, it most certainly is now.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,350 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.