On 22nd May 2023, the Data Protection Commission (“DPC”) announced that it had issued its decision (dated 12 May 2023) in which it fined Meta Platforms Ireland Limited €1.2 billion for breach of Article 46(1) of the General Data Protection Regulation (GDPR) relating to its delivery of its Facebook service.
The DPC launched an investigation into Meta in August 2020. After conducting its investigation, the DPC released its draft decision in which it determined that Meta’s data transfers to its US equivalent, Meta Platforms, Inc., were done in violation of Article 46(1) of the GDPR and that those transfers should be stopped.
In this regard, the transfers were made in accordance with a transfer and processing agreement between Meta and its US counterpart, which included a Transfer Impact Assessment (“TIA”), noting a record of safeguards Meta and/or its US counterpart had in place to safeguard transfers, among other things. The agreement also incorporated the 2021 Standard Contractual clauses (“SCCs”) of the European Commission.
Against this background, the DPC's draft decision was then submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (CSAs), pursuant to a cooperation procedure mandated by Article 60 of the GDPR. After failing to reach a consensus under the cooperation procedure, the DPC referred objections by the CSAs to its draft decision to the European Data Protection Board (EDPB) for determination pursuant to the dispute resolution mechanism under Article 65 of the GDPR.
Findings of the DPC The DPC found Meta in breach of Article 46(1) og the GDPR in relation to its transfer of personal data to the US, following the deliver of the Court of Justice of the European Union’s (“CJEU”) judgement in Schrems II case. In particular, while the transfers took place on the basis of the updated 2021 SCCs, along with additional supplementary measures implemented by Meta, the arrangements were not sufficient to address the risks to fundamental rights and freedoms of data subjects identified by the CJEU in the Schrems II case.
More specifically, the DPC specified that:
- US law does not provide a level of protection that is equivalent to that provided by EU law
- Neither the 2010 SCCs, nor the 2021 SCCs, could compensate for the inadequate protection provided by US law
- The measures set out in Meta’s record of safeguards that form part of the TIA that are presented as supplemental to the measures for which provision is made in the 2010 SCCs and/or 2021 SCCs, do not compensate for the inadequate protection provided by US law; and
- It is not open to Meta to rely on the derogations provided for in Article 49(1) of the GDPR when making the data transfers.
Outcomes On the basis of the EDPB's
decision of April 13, 2023, the DPC exercised the following corrective powers against Meta for its breach of Article 46(1) of the GDPR:
- an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC's decision to Meta; and
- an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC's decision to Meta.
In response to the DPC's decision, Meta noted that it will be appealing the DPC's decision and will seek a stay with the courts to pause the implementation of applicable deadlines under the same.
You can read the press release
here, and Meta’s response
here.