According to the Irish DPA, Meta Ireland violated Article 46(1) of the GDPR when the social media company continued to transfer Facebook user data out of the European Union to the United States.
Case Background
In July 2020, the Court of Justice of the European Union (CJEU), in the case Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, invalidated the Privacy Shield, which was a key mechanism used by many organizations to legally transfer personal data from the EU to the United States. In its decision, the CJEU said the alternative legal mechanism of Standard Contractual Clauses (SCCs) would continue to be valid, subject to various legal safeguards.
The European Commission defines SCCs as “standardized and pre-approved model data protection clauses that allow data controllers and processors to comply with their obligations under EU data protection law,” when transferring personal data outside of the EU.
However, according to the Irish DPA in the case against Meta, “these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.”
The Irish DPA initially began its investigation in August 2020, which the High Court of Ireland stayed pending the resolution of a series of legal proceedings, which ended in May 2021. Following a full investigation, the Irish DPA prepared a draft decision in July 2022, in which it concluded, “the data transfers in question were being carried out in breach of Article 46(1) GDPR” and, thus, should be suspended.
A Legal Debate Unfolds
Under a cooperation procedure mandated by the GDPR, the Irish DPA submitted its draft decision to several Concerned Supervisory Authorities (CSAs). While the majority of CSAs agreed with the Irish DPA’s proposal to suspend the data transfers on account of Meta Ireland’s GDPR violations, four of the 47 CSAs objected to the corrective power that the Irish DPA proposed to exercise by way of the draft decision, arguing Meta Ireland should be subject to an administrative fine for the GDPR violation.
Two of the CSAs also argued Meta Ireland “should be ordered to take action to address the personal data that had already been unlawfully transferred to the United States,” according to the Irish DPA. The Irish DPA said it disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.
Following an informal consultation process, a consensus could not be reached. Consistent with its obligations under the GDPR, the Irish DPA referred the objections to the European Data Protection Board (EDPB) for determination under Article 65, the GDPR’s dispute resolution mechanism.
EDPB Decision
On April 13, the EDPB issued its binding dispute resolution decision. In its decision, the EDPB instructed the Irish DPA to amend its draft decision and impose a fine on Meta. “Given the seriousness of the infringement, the EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum,” the EDPB stated.
The EDPB also instructed that Meta be required to cease the unlawful processing, including storage, in the United States of European users’ personal data transferred in violation of the GDPR within six months after notification of the final decision.
“The EDPB found that Meta IE’s infringement is very serious, since it concerns transfers that are systematic, repetitive and continuous,” said EDPB Chair Andrea Jelinek. “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.”
Meta’s Strong Response
In a blog post, Meta said it is appealing the decisions “and will immediately seek a stay with the courts who can pause the implementation deadlines.”
Meta said it used SCCs “believing them to be compliant” with the GDPR. “Despite acknowledging we had acted in good faith and that a fine was unjustified, the [Irish DPA] was overruled at the last minute by the EDPB,” Meta stated.
Meta added that the decision is “flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and the United States. It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.”
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.