Ireland’s Data Protection Commission (DPC) has imposed a fine of €1.2 billion on Meta’s Irish subsidiary and ordered the company to stop sending the personal data of Facebook users in Europe to the US – beginning in five months’ time.
According to the DPC, Meta Ireland breached EU data protection laws in relation to the data transfers despite the fact the company used standard contractual clauses (SCCs) issued by the European Commission in 2021, in tandem with other supplementary measures, to underpin those transfers.
Meta described the decision as flawed and unjustified, and confirmed the company’s intention to appeal.
The action announced by the DPC follows intervention by other data protection authorities based across the EU and reflects a binding decision imposed on the Irish authority by the European Data Protection Board (EDPB).
The DPC found that the arrangements Meta Ireland put in place to underpin the data transfers “did not address the risks to the fundamental rights and freedoms of data subjects” that the Court of Justice of the EU (CJEU) had identified in its so-called ‘Schrems II’ ruling in 2020.
In that case, the CJEU highlighted shortcomings with the safeguards in place to counteract US legislation that gives US law enforcement and intelligence agencies powers to request and access data, and outlined what businesses need to do to comply with EU data protection laws when transferring personal data outside of the EEA – including to the US.
Initially, the DPA proposed to impose a suspension order only against Meta Ireland, but its draft decision was open to input by other national DPAs from across Europe because the issues concerned data about Facebook users from across the European Economic Area (EEA).
Some of the other DPAs wanted the DPC to impose a fine as well as a suspension order in the case, to reflect past infringements. However, the DPC considered that “the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being ‘appropriate, proportionate and necessary’” – the thresholds that qualify DPAs’ enforcement powers under the GDPR.
When no consensus could be reached, the case was referred to the EDPB for a binding decision. The EDPB’s intervention has resulted in the company being issued with a €1.2bn fine on top of the suspension order – a record penalty under the GDPR, topping the €746 million fine imposed on Amazon by Luxembourg’s data protection authority in 2021.
Meta Ireland has been given six months to ensure that its processing operations concerning the data of Facebook users based in the European Economic Area (EEA) complies with the GDPR’s rules governing the international transfer of personal data.
In a blog, Nick Clegg, president of global affairs at Meta, and Jennifer Newstead, the company’s chief legal officer, confirmed Meta Ireland’s intention to appeal against the decision and ask the courts to delay the effect of the DPC’s orders. They said they feel the company has been “singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.
“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” they said.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US. It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard,” they added.
Clegg and Newstead also looked ahead to the prospect of the new ‘Privacy Shield 2.0’ – formally, the EU-US Data Privacy Framework (DPF) – taking effect. The proposed new framework has been negotiated by EU and US officials with a view to it facilitating EU-US data flows in future in a way that provides for adequate data protection in respect of EU citizens’ data exported to the US, as required under the GDPR. If the Privacy Shield 2.0 takes effect before the suspension order issued in this case takes effect, and providing Meta Ireland conforms to the requirements for making data transfers under the new framework, the suspension order would have no practical impact.
“If the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users,” said Clegg and Newstead.