The Irish Data Protection Commission fines Meta 1.2 billion euros for unlawful US data transfers

May 23, 2023 |

Facebook/Meta continues to find itself in a . The Data Protection Commission (DPC) announced, that it had issued its decision to fine Meta Platforms Ireland Limited €1.2 billion for breach of Article 46(1) of the General Data Protection Regulation (GDPR) relating to its delivery of its Facebook service.

The DPC commenced its inquiry into Meta cin August 2020. In its draft decision it found that:

  • Meta’s data transfers to its US counterpart, Meta Platforms, Inc., were in breach of Article 46(1) of the GDPR 
  • such transfers should be suspended.
  • the transfers were made on the basis of a transfer and processing agreement between Meta and its US counterpart, which incorporated the European Commission’s 2021 Standard Contractual Clauses (SCCs), and included a Transfer Impact Assessment (TIA), noting a record of safeguards Meta and/or its US counterpart had in place to safeguard transfers, among other things.

In its final decision the DPC found Meta in breach of Article 46(1) of the GDPR in relation to its transfer of personal data from the EU/EEA to the US, following the delivery of the Court of Justice of the European Union’s (CJEU) judgment in Schrems II case.

The DPC noted that while the transfers took place on the basis of the updated 2021 SCCs, along with additional supplementary measures implemented by Meta, the arrangements were not sufficient to address the risks to fundamental rights and freedoms of data subjects identified by the CJEU in the Schrems II case.

It found that:

  • US law does not provide a level of protection that is essentially equivalent to that provided by EU law;
  • neither the 2010 SCCs, nor the 2021 SCCs, could compensate for the inadequate protection provided by US law;
  • the measures set out in Meta’s record of safeguards that form part of the TIA did not compensate for the inadequate protection provided by US law; and
  • it was not open to Meta to rely on the derogations provided for in Article 49(1) of the GDPR (or any of them) when making the data transfers.

As a consequence of that and on the basis of the EDPB’s decision of April 13, 2023, the DPC made the following orders:

  • a fine of €1.2 billion;
  • an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta; and
  • an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta.

The press release announcing the decision provides:

Brussels, 22 May – Following the EDPB’s binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.

Andrea Jelinek, EDPB Chair, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”

In its binding decision of 13 April 2023, the EDPB instructed the IE DPA to amend its draft decision and to impose a fine on Meta IE. Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum. The EDPB also instructed the IE DPA to order Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.

The IE DPA’s final decision incorporates the legal assessment expressed by the EDPB in its binding decision, adopted on the basis of Art. 65(1)(a) GDPR after the IE DPA, as lead supervisory authority (LSA), had triggered a dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, CSAs issued objections aiming to include an administrative fine and/or an additional order to bring processing into compliance*.

The story has received significant coverage, given the record fine, with the BBC covering it with Meta: Facebook owner fined €1.2bn for mishandling data  . The story provides:

Facebook’s owner, Meta, has been fined €1.2bn (£1bn) for mishandling people’s data when transferring it between Europe and the United States.

Issued by Ireland’s Data Protection Commission (DPC), it is the largest fine imposed under the EU’s General Data Protection Regulation privacy law.

GDPR sets out rules companies must follow to transfer user data outside of the EU.

Meta says it will appeal against the “unjustified and unnecessary” ruling.

At the crux of this decision is the use of standard contractual clauses (SCCs) to move European Union data to the US.

These legal contracts, prepared by the European Commission, contain safeguards to ensure personal data continues to be protected when transferred outside Europe.

But there are concerns these data flows still expose Europeans to the US’s weaker privacy laws – and US intelligence could access the data.

This decision does not affect Facebook in the UK. The Information Commissioner’s Office told the BBC that the decision “does not apply in the UK” but said it had “noted the decision and will review the details in due course”.

‘Dangerous precedent’

Most large companies have complex webs of data transfers – which can include email addresses, phone numbers and financial information – to overseas recipients, many of which depend on SCCs.

And Meta says their broad use makes the fine unfair.

Facebook president Nick Clegg said: “We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”

Domestic alternatives

But privacy groups have welcomed that precedent.

Caitlin Fennessy, of the International Association of Privacy Professionals, said: “The size of this record-breaking fine is matched by the significance of the signal it sends.

“Today’s decision signals that companies have a whole lot of risk on the table.”

It could make EU companies demand US partners stored data within Europe – or switch to domestic alternatives, she added.

Decade-long battle

In 2013, former US National Security Agency contractor Edward Snowden disclosed American authorities had repeatedly accessed people’s information via technology companies such as Facebook and Google.

And Austrian privacy campaigner Max Schrems filed a legal challenge against Facebook for failing to protect his privacy rights, setting off a decade-long battle over the legality of moving EU data to the US.

Europe’s highest court, the European Court of Justice (ECJ), has repeatedly said Washington has insufficient checks in place to protect Europeans’ information.

And in 2020, the ECJ, ruled an EU-to-US data transfer agreement invalid.

But the ECJ left the door open for companies to use SCCs, saying the transfer of data to any other third country was valid as long as it ensured an “adequate level of data protection”.

It is that test Meta has been found to have failed.

‘Fundamentally restructure’

Asked about the €1.2bn fine, Mr Schrems said he was “happy to see this decision after 10 years of litigation” but it could have been much higher.

“Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” he added.

Despite the record-breaking size of the fine, experts have said they think Meta’s privacy practices will not change.

“A billion-euro parking ticket is of no consequence to a company that earns many more billions by parking illegally,” Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties.

The US recently updated its internal legal protections to give the EU greater assurances American intelligence agencies would follow new rules governing such data access.

In 2021, Amazon was fined for similarly flouting the EU’s privacy standard.

Ireland’s DPC has also fined WhatsApp, another Meta-owned business, for breaching stringent regulations relating to the transparency of data shared with its other subsidiaries.

Leave a Reply