The Irish Data Protection Commission has concluded its inquiry into Meta Ireland, during which it examined the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.
The DPC adopted its final decision on 12 May 2023. It says that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Although Meta Ireland used the European Commission’s updated Standard Contractual Clauses with additional supplementary measures, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
It found that:
- the data transfers in question were being carried out in breach of Article 46(1) GDPR; and
- in these circumstances, the data transfers should be suspended.
Under Article 60 GDPR, the DPC submitted the draft decision to other data protection regulators in the EEA. The other regulators agreed with the DPC’s draft decision regarding Meta Irelands non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers.
However, four of the other regulators (from Germany, France, Spain and Austria) raised objections, as they wanted Meta Ireland to be subject to an administrative fine. Two also said that Meta Ireland should be ordered to take action with the personal data that had already been unlawfully transferred to the US.
The DPC disagreed. It said that this would exceed the extent of powers that could be described being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR. Therefore, the DPC referred the issue to the European Data Protection Board for determination under Article 65 GDPR.
The EDPB adopted its decision on 13 April 2023. The DPC has amended its decision in line with the EDPB’s decision and now requires:
- under an Order under Article 58(2)(j) GDPR, Meta Ireland to suspend any future transfer personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
- under an Order under Article 58(2)(d) GDPR, Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland and
- an administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine to be imposed, to sanction the infringement that was found to have occurred. The DPC decided the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision).
The EDPB has published the Article 65 decision and the final decision on its website. It says that “Meta’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences”.
Meta is reportedly appealing but the process is lengthy, as they will have to appeal to the High Court of Ireland, which will then refer the issue to the CJEU.