Enforcement
EN

Meta Platforms Ireland Limited: Insufficient legal basis for data processing

€1,200,000,000 fine - Data Protection Authority of Ireland

May 12, 2023 Source

Content

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) also do not provide sufficient protection. Meta based its data transfers on the SCCs and additional own safeguards. However, during its investigation, the DPC determined that these additional measures did not compensate for the inadequate protections provided by U.S. law. Following the investigation, the DPC submitted a draft decision to other concerned supervisory authorities pursuant to Art. 60 GDPR. In response, the DPC received objections from supervisory authorities, which led to a dispute resolution procedure before the European Data Protection Board (EDPB). In its decision, the EDPB asked the DPC to amend the proposed fine and adapt it to the seriousness of the data protection breach. The DPC also ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months, of data already transferred to the U.S. Meta has announced that it will appeal the ruling and seek a suspension of the orders in court.

GDPR Articles: Art. 46 (1) GDPR
Industry: Media, Telecoms and Broadcasting

Key Excerpts from Decision

Data Protection Commission announces conclusion of inquiry into Meta Ireland 22nd May 2023 The Data Protection Commission (“the DPC”) has today announced the conclusion of its inquiry into Meta Platforms Ireland Limited (“Meta Ireland”), examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service. The DPC adopted its final decision in this inquiry on 12 May 2023. The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment. The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that: 1. the data transfers in question were being carried out in breach of Article 46(1) GDPR; and 2. in these circumstances, the data transfers should be suspended. Under a cooperation procedure mandated by the GDPR (Article 60), the draft decision prepared by the DPC was submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”). The nature of the processing under examination by the inquiry was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for the purpose of the cooperation procedure. On the question of Meta Ireland’s non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers, the CSAs agreed with the DPC’s decision. A small number (4) of the 47 CSAs raised objections in relation to the corrective power that the DPC proposed to exercise by way of the draft decision. Within this subset of CSAs, all four CSAs took the view that Meta Ireland should be subject to an administrative fine for the infringement that was found to have occurred. Two of those CSAs also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US, i.e. the data transferred from July 2020 to the present. The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR. Following an informal consultation process, it became clear that consensus

View Full Original Decision (English)